CVE
CVE-2026-34746
Payload has Authenticated SSRF via Upload Functionality
Impact
An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.
Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.
Consumers are affected if ALL of these are true:
- Payload version < v3.79.1
- At least one collection with
uploadenabled - An authenticated user has
createorupdateaccess to that collection
Patches
This vulnerability has been patched in v3.79.1. Users should upgrade to v3.79.1 or later.
Workarounds
Until consumers can upgrade:
- Restrict
createandupdateaccess to upload-enabled collections to trusted roles only. - Limit outbound network access from your Payload server where possible.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.7
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
C
H
U
7.7
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Related Resources
No items found.
References
https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx8, https://nvd.nist.gov/vuln/detail/CVE-2026-34746, https://github.com/payloadcms/payload, https://github.com/payloadcms/payload/releases/tag/v3.79.1
Basic Information
Ecosystem
