{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34746", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-01T19:43:16.700Z", "dateUpdated": "2026-04-02T15:12:09.290Z"}, "containers": {"cna": {"title": "Payload has Authenticated SSRF via Upload Functionality", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8"}, {"name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"version": "< 3.79.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:43:16.700Z"}, "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."}], "source": {"advisory": "GHSA-6r7f-q7f5-wpx8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:10:39.687505Z", "id": "CVE-2026-34746", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:12:09.290Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Payload has Authenticated SSRF via Upload Functionality", "source": {"advisory": "GHSA-6r7f-q7f5-wpx8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "payloadcms", "product": "payload", "versions": [{"status": "affected", "version": "< 3.79.1"}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8", "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "name": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:43:16.700Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34746", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:10:39.687505Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-02T15:12:03.551Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34746", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:43:16.700Z", "dateReserved": "2026-03-30T19:17:10.224Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:43:16.700Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1."}], "id": "CVE-2026-34746", "lastModified": "2026-04-01T20:16:26.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:26.727", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.79.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "payload", "source": "cna", "vendor": "payloadcms"}, "product": "payload", "vendor": "payloadcms"}], "analysis": {"en": {"generated_at": "2026-04-02T04:32:37.108902+00:00", "value": {"mitigation_remediation": ["Upgrade Payload CMS to version 3.79.1 or later.", "If patching is delayed, remove or revoke create/update permissions on upload\u2013enabled collections for all users.", "Configure the server\u2019s outbound firewall rules to restrict HTTP requests to only trusted domains.", "Verify that no unpatched instances remain in operation by auditing version numbers and upload configurations."], "summary": {"action": "Immediate Patch", "impact": "Authenticated SSRF"}, "threat_synthesis": {"affected_systems": "Payload CMS, version 3.79.0 and earlier. Only instances where uploads are enabled and collection roles permit create or update operations are susceptible. The issue is resolved in version 3.79.1.", "description_and_impact": "The vulnerability allows an authenticated user with create or update access to an upload\u2011enabled collection to trigger the server to issue HTTP requests to arbitrary URLs. This Server\u2011Side Request Forgery (CWE\u2011918) can enable the attacker to probe internal network services, exfiltrate sensitive data, or perform denial\u2011of\u2011service actions against target hosts. The impact is confined to the server\u2019s ability to reach out to outbound destinations, potentially exposing confidential internal resources.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity vulnerability. No EPSS score is reported, and the flaw is not listed in the CISA KEV catalog. An attacker must be authenticated and possess relevant collection permissions, which provides a lower attack surface compared to unauthenticated exploits, yet the potential damage from internal network access is significant."}}}}, "created": "2026-04-02T07:48:01.087318+00:00", "updated": "2026-04-02T20:16:53.866380+00:00", "vendors": ["payloadcms", "payloadcms$PRODUCT$payload"]}