GHSA-hp5w-3hxx-vmwf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hp5w-3hxx-vmwf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hp5w-3hxx-vmwf/GHSA-hp5w-3hxx-vmwf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hp5w-3hxx-vmwf
- Aliases
-
- CVE-2026-34751
- Published
- 2026-04-01T16:08:02Z
- Modified
- 2026-04-08T18:32:13.481850Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
- Details
-
Impact
A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.
Users are affected if:
- They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in
forgot-passwordfunctionality.
Patches
Input validation and URL construction in the password recovery flow have been hardened.
Users should upgrade to v3.79.1 or later.
Workarounds
There are no complete workarounds. Upgrading to v3.79.1 is recommended.
- They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in
- Database specific
{ "nvd_published_at": "2026-04-01T18:16:31Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-472", "CWE-640" ], "github_reviewed_at": "2026-04-01T16:08:02Z" }- References
Affected packages
npm / payload
Package
- Name
- payload
- View open source insights on deps.dev
- Purl
- pkg:npm/payload
npm / @payloadcms/graphql
Package
- Name
- @payloadcms/graphql
- View open source insights on deps.dev
- Purl
- pkg:npm/%40payloadcms/graphql