{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39397", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.516Z", "datePublished": "2026-04-07T20:09:19.962Z", "dateUpdated": "2026-04-07T20:33:24.005Z"}, "containers": {"cna": {"title": "@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85"}, {"name": "https://github.com/delmaredigital/payload-puck/issues/7", "tags": ["x_refsource_MISC"], "url": "https://github.com/delmaredigital/payload-puck/issues/7"}, {"name": "https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4", "tags": ["x_refsource_MISC"], "url": "https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4"}], "affected": [{"vendor": "delmaredigital", "product": "payload-puck", "versions": [{"version": "< 0.6.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:09:19.962Z"}, "descriptions": [{"lang": "en", "value": "@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23."}], "source": {"advisory": "GHSA-65w6-pf7x-5g85", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T20:33:14.223376Z", "id": "CVE-2026-39397", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:33:24.005Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39397", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T20:33:14.223376Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T20:33:19.339Z"}}], "cna": {"title": "@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections", "source": {"advisory": "GHSA-65w6-pf7x-5g85", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "delmaredigital", "product": "payload-puck", "versions": [{"status": "affected", "version": "< 0.6.23"}]}], "references": [{"url": "https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85", "name": "https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/delmaredigital/payload-puck/issues/7", "name": "https://github.com/delmaredigital/payload-puck/issues/7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4", "name": "https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:09:19.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39397", "state": "PUBLISHED", "dateUpdated": "2026-04-07T20:33:24.005Z", "dateReserved": "2026-04-06T22:06:40.516Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T20:09:19.962Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:delmaredigital:payload-puck:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0B73DEC7-D7FC-4452-91E1-746E16F0A536", "versionEndExcluding": "0.6.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23."}], "id": "CVE-2026-39397", "lastModified": "2026-04-15T20:29:13.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T21:17:18.160", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/delmaredigital/payload-puck/issues/7"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.23)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "payload-puck", "source": "cna", "vendor": "delmaredigital"}, "product": "payload-puck", "vendor": "delmaredigital"}], "analysis": {"en": {"generated_at": "2026-04-07T22:15:20.428192+00:00", "value": {"mitigation_remediation": ["Update the delmaredigital/payload-puck plugin to version 0.6.23 or newer.", "If an immediate update is not possible, block access to the /api/puck/* endpoints at the network or reverse\u2011proxy level so that only trusted clients can reach them.", "Verify that collection\u2011level access rules are correctly defined and enforced for any remaining Puck\u2011registered collections.", "Consider disabling any unused Puck\u2011registered collections to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access and Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts installations of the delmaredigital:payload-puck plugin on any PayloadCMS site that use a version earlier than 0.6.23. No other vendors or product versions are reported as affected.", "description_and_impact": "@delmaredigital/payload-puck is a PayloadCMS plugin that, prior to version 0.6.23, allowed any user to invoke its /api/puck/* CRUD endpoints. The default overrideAccess:true setting bypassed all collection\u2011level access control, meaning an attacker could read, create, update or delete content in any Puck\u2011registered collection without authentication. This flaw directly compromises data confidentiality, integrity and availability within the affected CMS instance.", "risk_and_exploitability": "With a CVSS score of 9.4 the flaw is considered critical. External Probability of Success (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web\u2011based API request to /api/puck/* endpoints, which can be performed by any party without credentials. Exploitation requires the plugin to be present and running on a PayloadCMS instance that has not been patched to 0.6.23."}}}}, "created": "2026-04-08T19:34:22.026040+00:00", "updated": "2026-04-08T19:45:50.914820+00:00", "vendors": ["delmaredigital", "delmaredigital$PRODUCT$payload-puck"]}