GHSA-HP5W-3HXX-VMWF
Vulnerability from github – Published: 2026-04-01 16:08 – Updated: 2026-04-08 18:19
VLAI?
Summary
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
Details
Impact
A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.
Users are affected if:
- They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in
forgot-passwordfunctionality.
Patches
Input validation and URL construction in the password recovery flow have been hardened.
Users should upgrade to v3.79.1 or later.
Workarounds
There are no complete workarounds. Upgrading to v3.79.1 is recommended.
Severity ?
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "payload"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.79.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@payloadcms/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.79.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34751"
],
"database_specific": {
"cwe_ids": [
"CWE-472",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T16:08:02Z",
"nvd_published_at": "2026-04-01T18:16:31Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.\n\nUsers are affected if:\n\n- They are using Payload version **\u003c v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality.\n\n### Patches\n\nInput validation and URL construction in the password recovery flow have been hardened.\n\nUsers should upgrade to **v3.79.1** or later.\n\n### Workarounds\n\nThere are no complete workarounds. Upgrading to **v3.79.1** is recommended.",
"id": "GHSA-hp5w-3hxx-vmwf",
"modified": "2026-04-08T18:19:10Z",
"published": "2026-04-01T16:08:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34751"
},
{
"type": "PACKAGE",
"url": "https://github.com/payloadcms/payload"
},
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…