GHSA-6r7f-q7f5-wpx8

Source

https://github.com/advisories/GHSA-6r7f-q7f5-wpx8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6r7f-q7f5-wpx8/GHSA-6r7f-q7f5-wpx8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6r7f-q7f5-wpx8

Aliases

CVE-2026-34746

Published

2026-04-01T21:25:33Z

Modified

2026-04-06T17:03:02.871257Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Payload has Authenticated SSRF via Upload Functionality

Details

Impact

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Consumers are affected if ALL of these are true:

Payload version < v3.79.1
At least one collection with upload enabled
An authenticated user has create or update access to that collection

Patches

This vulnerability has been patched in v3.79.1. Users should upgrade to v3.79.1 or later.

Workarounds

Until consumers can upgrade:

Restrict create and update access to upload-enabled collections to trusted roles only.
Limit outbound network access from your Payload server where possible.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:25:33Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-04-01T20:16:26Z"
}

References

Affected packages

npm / payload

Package

Name: payload; View open source insights on deps.dev
Purl: pkg:npm/payload

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.79.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-6r7f-q7f5-wpx8/GHSA-6r7f-q7f5-wpx8.json"