Platform
nodejs
Component
payload
Fixed in
3.79.2
3.79.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Payload, a Node.js component. This vulnerability allows authenticated users with the necessary permissions to induce the server to make outbound HTTP requests to arbitrary URLs. The issue impacts Payload versions prior to 3.79.1 and requires specific configuration – upload-enabled collections and user access with 'create' or 'update' privileges.
The SSRF vulnerability allows an authenticated attacker to bypass security controls and potentially access internal resources or external services that are not directly accessible from the public internet. An attacker could leverage this to scan internal networks, interact with internal APIs, or even exfiltrate sensitive data if the server has access to such data. The impact is amplified if the server is configured to interact with cloud services or other external APIs, as the attacker could potentially manipulate these interactions. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to access resources it shouldn't.
CVE-2026-34746 was publicly disclosed on April 1, 2026. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34746 is to upgrade Payload to version 3.79.1 or later. If immediate upgrading is not feasible, consider temporarily disabling the upload functionality for collections where it is enabled. As a secondary measure, implement strict input validation and sanitization on any user-supplied URLs used in outbound requests. Web application firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to trigger an outbound HTTP request through the upload functionality with a known malicious URL; the request should be blocked or denied.
Update Payload CMS to version 3.79.1 or later. This version contains the fix for the SSRF vulnerability. It is recommended to perform the update as soon as possible to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34746 is a HIGH severity SSRF vulnerability affecting Payload versions before 3.79.1, allowing authenticated users to trigger outbound HTTP requests.
You are affected if you use Payload version < 3.79.1, have upload-enabled collections, and authenticated users have 'create' or 'update' access.
Upgrade Payload to version 3.79.1 or later. Temporarily disable upload functionality if upgrading is not immediately possible.
No active exploitation has been publicly confirmed as of this writing, but monitoring is recommended.
Refer to the Payload project's official security advisories and release notes for the most up-to-date information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.