Payload is a flexible and extensible content management system (CMS) and application framework built on Node.js. It simplifies the creation of dynamic web applications by providing tools for content modeling, user authentication, and data management. Payload's modular design allows developers to customize and extend its functionality to meet specific project requirements.

What vulnerabilities were patched in Payload v3.79.1?

Payload v3.79.1 addresses three key security vulnerabilities: unvalidated input in the password recovery flow (CVE-2026-34751), an SQL injection vulnerability via query handling (CVE-2026-34747), and a CSRF protection bypass in the authentication flow (CVE-2026-34749). Upgrading to this version is crucial to mitigate these risks.

How do I upgrade Payload to the latest version?

You can upgrade Payload to the latest version using the npm package manager. Simply run the command `npm update payload` in your project directory to update Payload to v3.79.1 or later. This will ensure that you have the latest security patches and bug fixes.

What is a CSRF attack, and how does it affect Payload?

CSRF, or Cross-Site Request Forgery, is an attack where a malicious website, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. The vulnerability in Payload's authentication flow could allow attackers to perform unauthorized actions on behalf of authenticated users if the CSRF protection is bypassed.

Payload Patches Password Recovery, SQLi, and CSRF (CVE-2026-347xx)

Payload has released version 3.79.1 to address multiple vulnerabilities, including unvalidated input in password recovery, SQL injection, and CSRF bypass. These flaws could allow attackers to perform unauthorized actions or access sensitive data. Users of Payload are urged to upgrade to the latest version to mitigate these risks.

The highest CVSS score is 9.1, indicating a critical vulnerability with potentially severe impact.

What is Payload?

Payload is a component for nodejs, designed to streamline web development. It offers features such as content management, user authentication, and data modeling. To learn more, search all payload CVEs and related security advisories. Payload simplifies the creation of dynamic web applications by providing a flexible and extensible framework. Its modular architecture allows developers to customize and extend its functionality to meet specific project requirements. Understanding the security implications of using Payload is crucial for maintaining the integrity and confidentiality of your applications.

CVE-2026-34751: Unvalidated Input in Password Recovery

CVSS9.1

Affected versionsUsers using Payload versions less than v3.79.1 with any auth-enabled collection using the built-in `forgot-password` functionality are affected.

Critical vulnerability; attacker can perform actions on behalf of user.

EPSS score of 0.04 indicates a low probability of exploitation.

The password recovery flow in Payload versions prior to 3.79.1 contains a vulnerability due to unvalidated input. An attacker could exploit this to perform actions on behalf of a user initiating a password reset.

How to fix CVE-2026-34751 in Payload

Patch immediately

1.Upgrade to Payload version v3.79.1 or later.

Upgrade Payload

npm update payload

Verify with:

verify

payload --version

Workaround: There are no complete workarounds. Upgrading to v3.79.1 is recommended.

NextGuard automatically flags CVE-2026-34751 if Payload appears in any of your monitored projects — no manual lookup required.

CVE-2026-34747: SQL Injection via Query Handling

CVSS8.5

Affected versionsThis vulnerability affects Payload versions prior to v3.79.1.

High severity; attacker can potentially expose or modify data.

EPSS score of 0.048 indicates a low probability of exploitation.

Improper input validation in Payload's query handling allows for SQL injection attacks. An attacker could craft malicious requests to influence SQL query execution, potentially exposing or modifying data in collections.

How to fix CVE-2026-34747 in Payload

Patch immediately

1.Upgrade to Payload version v3.79.1 or later.

Upgrade Payload

npm update payload

Verify with:

verify

payload --version

Workaround: Until developers can upgrade, limit access to endpoints that accept dynamic query inputs to trusted users only. Validate or sanitize input from untrusted clients before sending it to query endpoints.

NextGuard automatically flags CVE-2026-34747 if Payload appears in any of your monitored projects — no manual lookup required.

CVE-2026-34749: CSRF Protection Bypass in Authentication Flow

CVSS5.4

Affected versionsConsumers are affected if using Payload version less than v3.79.1 and `serverURL` is configured.

Medium severity; CSRF bypass in authentication flow.

EPSS score of 0.019 indicates a very low probability of exploitation.

A CSRF vulnerability exists in Payload's authentication flow, potentially allowing cross-site requests to bypass configured CSRF protection. This could enable attackers to perform unauthorized actions on behalf of authenticated users.

How to fix CVE-2026-34749 in Payload

Patch within 7 days

1.Upgrade to Payload version v3.79.1 or later.

Upgrade Payload

npm update payload

Verify with:

verify

payload --version

Workaround: There is no complete workaround without upgrading. If consumers cannot upgrade immediately, setting `cookies.sameSite` to `'Strict'` will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

NextGuard automatically flags CVE-2026-34749 if Payload appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and remediate vulnerabilities in your nodejs projects. Use NextGuard to monitor your nodejs dependencies for known CVEs.

Compare Plans

Frequently asked questions

Payload users should upgrade to v3.79.1 to address these critical security issues. Stay informed about the latest nodejs security threats and see all nodejs vulnerabilities. Regularly updating your dependencies is crucial for maintaining a secure application.