GHSA-P6MR-XF3R-GHQ4
Vulnerability from github – Published: 2026-04-01 21:36 – Updated: 2026-04-01 21:36
VLAI?
Summary
Payload has a CSRF Protection Bypass in Authentication Flow
Details
Impact
A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.
Consumers are affected if ALL of these are true:
- Payload version < v3.79.1
serverURLis configured
Patches
This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.
Consumers should upgrade to v3.79.1 or later.
Workarounds
There is no complete workaround without upgrading.
If consumers cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "payload"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.79.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34749"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:36:06Z",
"nvd_published_at": "2026-04-01T20:16:27Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.\n\nConsumers are affected if ALL of these are true:\n\n- Payload version **\u003c v3.79.1**\n- `serverURL` is configured\n\n### Patches\n\nThis vulnerability has been patched in **v3.79.1**. Additional validation has been added to the authentication flow.\n\nConsumers should upgrade to **v3.79.1** or later.\n\n### Workarounds\n\nThere is no complete workaround without upgrading. \n\nIf consumers cannot upgrade immediately, setting `cookies.sameSite` to `\u0027Strict\u0027` will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).",
"id": "GHSA-p6mr-xf3r-ghq4",
"modified": "2026-04-01T21:36:06Z",
"published": "2026-04-01T21:36:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34749"
},
{
"type": "PACKAGE",
"url": "https://github.com/payloadcms/payload"
},
{
"type": "WEB",
"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Payload has a CSRF Protection Bypass in Authentication Flow"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…