Description
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Published: 2026-04-01
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account Impersonation via Unauthenticated Password Reset
Action: Immediate Patch
AI Analysis

Impact

An attacker can exploit unvalidated input in the password recovery endpoint of Payload CMS, prior to version 3.79.1 of @payloadcms/graphql and payload, to perform privileged actions without authentication. The flaw allows a remote user to initiate and control a password reset for any account, thereby enabling the attacker to act as the victim and gain full access to the system’s data and capabilities. This reflects a critical input‑validation omission, corresponding to CWE‑472 and CWE‑640.

Affected Systems

Payload CMS, using @payloadcms/graphql and payload packages, is affected in all releases prior to 3.79.1. Any installation running those versions exposes the vulnerable password recovery flow until upgraded.

Risk and Exploitability

The CVSS base score of 9.1 indicates a high severity issue. Although no EPSS score is available and the vulnerability is not listed in CISA KEV, the flaw remains likely to be abused. Exploitation demands only access to the publicly exposed password‑reset endpoint; no credentials or additional privileges are required, making the attack vector straightforward for an unauthenticated adversary.

Generated by OpenCVE AI on April 2, 2026 at 04:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Payload CMS and @payloadcms/graphql to version 3.79.1 or later.
  • If upgrade is delayed, restrict or block the password‑reset endpoint with a firewall or network ACL.
  • Implement logging and monitor for anomalous password‑reset requests; apply rate limiting to the endpoint.
  • Consider disabling password recovery or enforcing stronger verification if the feature is not essential.

Generated by OpenCVE AI on April 2, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hp5w-3hxx-vmwf Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*

Sat, 04 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Title Payload has Unvalidated Input in Password Recovery Endpoints
Weaknesses CWE-472
CWE-640
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Payloadcms Payload
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-04T03:06:17.817Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34751

cve-icon Vulnrichment

Updated: 2026-04-04T03:06:13.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T18:16:31.277

Modified: 2026-04-15T14:36:31.277

Link: CVE-2026-34751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:56Z

Weaknesses