CVE-2026-39397

Impact

All /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints.

An unauthenticated remote attacker could:

• List all documents (including drafts) in any Puck-registered collection
• Read any document by ID (including drafts)
• Create new documents with arbitrary field values
• Update any document (including bypassing field-level access rules)
• Delete any document
• Read version history and restore arbitrary versions

In typical installations, the affected scope is the collection backing the website's pages (default slug: pages). For most users this means an attacker could read, modify, create, or delete every page on the website — including unpublished drafts and version history.

Scope is limited to collections explicitly registered with createPuckPlugin() — the endpoints validate the collection slug against an allowlist, so attackers cannot pivot to other Payload collections such as users, media, or business data not exposed to the plugin. The auto-created puck-templates, puck-ai-prompts, and puck-ai-context collections are also outside the allowlist; they have their own dedicated endpoints with separate authentication.

Other endpoints in the plugin (AI, styles, prompts, context, and the Next.js API route factories in src/api/) were unaffected — they had their own authentication checks.

Patches

Fixed in 0.6.23. All endpoint handlers in src/endpoints/index.ts now pass overrideAccess: false and forward req to Payload's local API, so collection-level access rules are evaluated against the current user.

Workarounds

If you cannot upgrade immediately, place a reverse-proxy or middleware authentication check in front of /api/puck/* to require an authenticated session before requests reach the plugin's handlers.