Platform
nodejs
Component
payloadcms
Fixed in
3.79.2
CVE-2026-34749 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Payload CMS. This flaw allows attackers to potentially execute unauthorized actions within the application if CSRF protection can be bypassed. The vulnerability impacts versions 3.79.0 through 3.79.0 and has been addressed in version 3.79.1.
A successful CSRF attack could allow an attacker to perform actions on behalf of an authenticated user without their knowledge or consent. This could include modifying content, changing user permissions, or executing other administrative tasks. The impact is amplified if the attacker can target users with elevated privileges. While the description indicates that CSRF protection can be bypassed under certain conditions, the specific conditions are not detailed, making it difficult to fully assess the attack surface. The blast radius depends on the permissions of the affected user and the sensitivity of the data and functionality accessible through the CMS.
CVE-2026-34749 was publicly disclosed on 2026-04-01. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) code has been identified. The vulnerability's impact is dependent on the specific configuration and usage patterns of the Payload CMS instance.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34749 is to immediately upgrade Payload CMS to version 3.79.1 or later. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures, such as requiring additional authentication factors for sensitive operations. Review and strengthen existing CSRF prevention mechanisms within the application. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. After upgrading, verify the fix by attempting to trigger a CSRF request and confirming that it is blocked.
Update to version 3.79.1 or later to mitigate the CSRF protection bypass vulnerability in the authentication flow. This update fixes the issue by implementing more robust security measures to prevent cross-site forged requests.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34749 is a Cross-Site Request Forgery (CSRF) vulnerability in Payload CMS versions 3.79.0 through 3.79.0, allowing attackers to potentially perform unauthorized actions.
If you are using Payload CMS version 3.79.0 or earlier, you are potentially affected by this vulnerability. Upgrade to version 3.79.1 or later to mitigate the risk.
The recommended fix is to upgrade Payload CMS to version 3.79.1 or later. If upgrading is not immediately possible, implement stricter CSRF protection measures.
There is currently no evidence of active exploitation of CVE-2026-34749, but it's crucial to apply the patch proactively.
Refer to the official Payload CMS security advisories and release notes for detailed information and updates regarding CVE-2026-34749.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.