GHSA-p6mr-xf3r-ghq4

Source

https://github.com/advisories/GHSA-p6mr-xf3r-ghq4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-p6mr-xf3r-ghq4/GHSA-p6mr-xf3r-ghq4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p6mr-xf3r-ghq4

Aliases

CVE-2026-34749

Published

2026-04-01T21:36:06Z

Modified

2026-04-01T21:48:31.526811Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

Payload has a CSRF Protection Bypass in Authentication Flow

Details

Impact

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Consumers are affected if ALL of these are true:

Payload version < v3.79.1
serverURL is configured

Patches

This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.

Consumers should upgrade to v3.79.1 or later.

Workarounds

There is no complete workaround without upgrading.

If consumers cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:36:06Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-04-01T20:16:27Z"
}

References

Affected packages

npm / payload

Package

Name: payload; View open source insights on deps.dev
Purl: pkg:npm/payload

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.79.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-p6mr-xf3r-ghq4/GHSA-p6mr-xf3r-ghq4.json"