FKIE_CVE-2026-27567

Vulnerability from fkie_nvd - Published: 2026-02-24 15:21 - Updated: 2026-02-26 19:59
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only.
References
security-advisories@github.comhttps://github.com/payloadcms/payload/commit/1041bb6Patch
security-advisories@github.comhttps://github.com/payloadcms/payload/releases/tag/v3.75.0Product, Release Notes
security-advisories@github.comhttps://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
payloadcms payload *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4B2A5539-08DE-4938-BAE6-7E8CC7364C4F",
              "versionEndExcluding": "3.75.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Payload is a free and open source headless content management system. Prior to 3.75.0, a Server-Side Request Forgery (SSRF) vulnerability exists in Payload\u0027s external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources. The Payload environment must have at least one collection with `upload` enabled and a user who has `create` access to that upload-enabled collection in order to be vulnerable. An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application. This vulnerability has been patched in v3.75.0. As a workaround, one may mitigate this vulnerability by disabling external file uploads via the `disableExternalFile` upload collection option, or by restricting `create` access on upload-enabled collections to trusted users only."
    },
    {
      "lang": "es",
      "value": "Payload es un sistema de gesti\u00f3n de contenido headless de c\u00f3digo abierto y gratuito. Antes de la versi\u00f3n 3.75.0, existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en la funcionalidad de carga de archivos externos de Payload. Al procesar URLs externas para la carga de archivos, una validaci\u00f3n insuficiente de las redirecciones HTTP podr\u00eda permitir a un atacante autenticado acceder a recursos de red internos. El entorno de Payload debe tener al menos una colecci\u00f3n con \u0027upload\u0027 habilitado y un usuario que tenga acceso de \u0027create\u0027 a esa colecci\u00f3n con carga habilitada para ser vulnerable. Un usuario autenticado con permisos de escritura en la colecci\u00f3n de carga podr\u00eda potencialmente acceder a servicios internos. El contenido de la respuesta de los servicios internos podr\u00eda recuperarse a trav\u00e9s de la aplicaci\u00f3n. Esta vulnerabilidad ha sido parcheada en la v3.75.0. Como soluci\u00f3n alternativa, se puede mitigar esta vulnerabilidad deshabilitando las cargas de archivos externos a trav\u00e9s de la opci\u00f3n de colecci\u00f3n de carga \u0027disableExternalFile\u0027, o restringiendo el acceso de \u0027create\u0027 en colecciones con carga habilitada solo a usuarios de confianza."
    }
  ],
  "id": "CVE-2026-27567",
  "lastModified": "2026-02-26T19:59:33.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-24T15:21:38.273",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/payloadcms/payload/commit/1041bb6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/payloadcms/payload/releases/tag/v3.75.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.