Plattform
nodejs
Komponente
payload
Behoben in
3.79.2
3.79.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Payload, a Node.js component. This vulnerability allows authenticated users with the necessary permissions to induce the server to make outbound HTTP requests to arbitrary URLs. The issue impacts Payload versions prior to 3.79.1 and requires specific configuration – upload-enabled collections and user access with 'create' or 'update' privileges.
The SSRF vulnerability allows an authenticated attacker to bypass security controls and potentially access internal resources or external services that are not directly accessible from the public internet. An attacker could leverage this to scan internal networks, interact with internal APIs, or even exfiltrate sensitive data if the server has access to such data. The impact is amplified if the server is configured to interact with cloud services or other external APIs, as the attacker could potentially manipulate these interactions. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to access resources it shouldn't.
CVE-2026-34746 was publicly disclosed on April 1, 2026. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations using Payload in their Node.js applications are at risk, particularly those with upload functionality enabled and where authenticated users have 'create' or 'update' access to those collections. Shared hosting environments utilizing Payload with default configurations are also potentially vulnerable.
• nodejs / server:
npm list payload• nodejs / server:
npm audit payload• nodejs / server:
grep -r 'http.request' ./node_modules/payloaddisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34746 is to upgrade Payload to version 3.79.1 or later. If immediate upgrading is not feasible, consider temporarily disabling the upload functionality for collections where it is enabled. As a secondary measure, implement strict input validation and sanitization on any user-supplied URLs used in outbound requests. Web application firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to trigger an outbound HTTP request through the upload functionality with a known malicious URL; the request should be blocked or denied.
Aktualisieren Sie Payload CMS auf Version 3.79.1 oder höher. Diese Version enthält die Korrektur für die SSRF Schwachstelle. Es wird empfohlen, das Update so bald wie möglich durchzuführen, um das Risiko zu mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34746 is a HIGH severity SSRF vulnerability affecting Payload versions before 3.79.1, allowing authenticated users to trigger outbound HTTP requests.
You are affected if you use Payload version < 3.79.1, have upload-enabled collections, and authenticated users have 'create' or 'update' access.
Upgrade Payload to version 3.79.1 or later. Temporarily disable upload functionality if upgrading is not immediately possible.
No active exploitation has been publicly confirmed as of this writing, but monitoring is recommended.
Refer to the Payload project's official security advisories and release notes for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.