Platform
nodejs
Component
payload
Fixed in
3.79.2
3.79.1
CVE-2026-34751 describes a critical vulnerability in Payload, a Node.js application. This flaw resides within the password recovery flow, enabling an unauthenticated attacker to potentially execute actions as a user who initiates a password reset. The vulnerability affects Payload versions prior to 3.79.1, and a patch is available in version 3.79.1 and later.
The impact of CVE-2026-34751 is significant. An attacker exploiting this vulnerability could gain unauthorized access to user accounts, potentially leading to data breaches, account takeover, and further malicious activities. The attacker does not need to authenticate to trigger the password reset process and then leverage the resulting vulnerability. This could allow them to modify user profiles, access sensitive data, or even escalate privileges within the application. The blast radius extends to all users utilizing the built-in forgot-password functionality with authentication enabled.
CVE-2026-34751 was publicly disclosed on 2026-04-01. Its criticality (CVSS 9.1) indicates a high likelihood of exploitation. There are currently no publicly known proof-of-concept exploits, but the ease of exploitation described in the vulnerability description suggests that one may emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34751 is to upgrade Payload to version 3.79.1 or later. This patched version includes hardened input validation and URL construction within the password recovery flow, effectively addressing the vulnerability. Unfortunately, there are no complete workarounds available short of upgrading. Ensure proper access controls are in place to limit the potential impact if immediate patching is not possible. After upgrading, confirm the password recovery flow functions as expected and that no unauthorized account activity has occurred.
Upgrade Payload CMS to version 3.79.1 or later. This version addresses a vulnerability in the password recovery flow that could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34751 is a critical vulnerability in Payload versions prior to 3.79.1 that allows unauthenticated attackers to perform actions on behalf of users during password resets, potentially leading to account takeover.
You are affected if you are using Payload version < v3.79.1 with any auth-enabled collection utilizing the built-in forgot-password functionality.
Upgrade Payload to version 3.79.1 or later to mitigate the vulnerability. There are no complete workarounds available.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor security advisories.
Refer to the official Payload security advisory for detailed information and updates regarding CVE-2026-34751.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.