{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34751", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.225Z", "datePublished": "2026-04-01T17:42:45.827Z", "dateUpdated": "2026-04-04T03:06:17.817Z"}, "containers": {"cna": {"title": "Payload has Unvalidated Input in Password Recovery Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-472", "lang": "en", "description": "CWE-472: External Control of Assumed-Immutable Web Parameter", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"}, {"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.79.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:42:45.827Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."}], "source": {"advisory": "GHSA-hp5w-3hxx-vmwf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:06:01.663817Z", "id": "CVE-2026-34751", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:06:17.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-04T03:06:01.663817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:06:13.779Z"}}], "cna": {"title": "Payload has Unvalidated Input in Password Recovery Endpoints", "source": {"advisory": "GHSA-hp5w-3hxx-vmwf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.79.1"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-472", "description": "CWE-472: External Control of Assumed-Immutable Web Parameter"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:42:45.827Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34751", "state": "PUBLISHED", "dateUpdated": "2026-04-04T03:06:17.817Z", "dateReserved": "2026-03-30T19:17:10.225Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T17:42:45.827Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28", "versionEndExcluding": "3.79.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."}], "id": "CVE-2026-34751", "lastModified": "2026-04-15T14:36:31.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T18:16:31.277", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}, {"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.79.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-02T04:34:11.145123+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS and @payloadcms/graphql to version 3.79.1 or later.", "If upgrade is delayed, restrict or block the password\u2011reset endpoint with a firewall or network ACL.", "Implement logging and monitor for anomalous password\u2011reset requests; apply rate limiting to the endpoint.", "Consider disabling password recovery or enforcing stronger verification if the feature is not essential."], "summary": {"action": "Immediate Patch", "impact": "Account Impersonation via Unauthenticated Password Reset"}, "threat_synthesis": {"affected_systems": "Payload CMS, using @payloadcms/graphql and payload packages, is affected in all releases prior to 3.79.1. Any installation running those versions exposes the vulnerable password recovery flow until upgraded.", "description_and_impact": "An attacker can exploit unvalidated input in the password recovery endpoint of Payload CMS, prior to version 3.79.1 of @payloadcms/graphql and payload, to perform privileged actions without authentication. The flaw allows a remote user to initiate and control a password reset for any account, thereby enabling the attacker to act as the victim and gain full access to the system\u2019s data and capabilities. This reflects a critical input\u2011validation omission, corresponding to CWE\u2011472 and CWE\u2011640.", "risk_and_exploitability": "The CVSS base score of 9.1 indicates a high severity issue. Although no EPSS score is available and the vulnerability is not listed in CISA KEV, the flaw remains likely to be abused. Exploitation demands only access to the publicly exposed password\u2011reset endpoint; no credentials or additional privileges are required, making the attack vector straightforward for an unauthenticated adversary."}}}}, "created": "2026-04-02T07:48:04.705291+00:00", "updated": "2026-04-02T20:16:56.718774+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}