{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34749", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:49:35.934Z", "dateUpdated": "2026-04-06T19:46:32.770Z"}, "containers": {"cna": {"title": "Payload has a CSRF Protection Bypass in Authentication Flow", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4"}, {"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.79.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:49:35.934Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1."}], "source": {"advisory": "GHSA-p6mr-xf3r-ghq4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:11:02.350739Z", "id": "CVE-2026-34749", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:46:32.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34749", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:11:02.350739Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:11:06.607Z"}}], "cna": {"title": "Payload has a CSRF Protection Bypass in Authentication Flow", "source": {"advisory": "GHSA-p6mr-xf3r-ghq4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.79.1"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:49:35.934Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34749", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:46:32.770Z", "dateReserved": "2026-03-30T19:17:10.224Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:49:35.934Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28", "versionEndExcluding": "3.79.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1."}], "id": "CVE-2026-34749", "lastModified": "2026-04-13T19:13:43.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:27.187", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.79.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-13T21:45:45.339229+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS to version 3.79.1 or later", "Verify that CSRF protection is enabled and correctly configured after the update"], "summary": {"action": "Patch", "impact": "Unauthorized actions via forged requests"}, "threat_synthesis": {"affected_systems": "All Payload CMS installations running a version older than 3.79.1 are affected. The vulnerability is present in the default Payload product distributed by payloadcms:payload.", "description_and_impact": "A Cross-Site Request Forgery vulnerability in Payload CMS allows an attacker to forge requests against the authentication flow when the CSRF protection is misconfigured or bypassed. The exploit can execute actions that the authenticated user is authorized to perform, potentially leading to unauthorized data modification or other unintended behavior. The weakness is identified as a CSRF flaw.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector, inferred from the description, involves an attacker sending crafted HTTP requests to the authentication endpoints of a web application where a victim is already logged in. Because CSRF exploits rely on the victim\u2019s authenticated session, successful execution would allow the attacker to perform privileged actions as that user."}}}}, "created": "2026-04-02T07:47:56.982265+00:00", "updated": "2026-04-14T16:42:07.805492+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}