Platform
nodejs
Component
@delmaredigital/payload-puck
Fixed in
0.6.24
0.6.23
CVE-2026-39397 is a critical remote code execution (RCE) vulnerability affecting the @delmaredigital/payload-puck Node.js package. This flaw allows unauthenticated attackers to bypass access controls within Payload CMS, enabling them to manipulate data within Puck-registered collections. Affected versions are those prior to 0.6.23; upgrading to the patched version is essential to mitigate this risk.
The vulnerability stems from improper handling of access control within the /api/puck/* endpoints. The overrideAccess: true setting, combined with the ignoring of collection-level access rules, creates a critical bypass. An attacker can leverage this to list all documents, including drafts, read documents by ID, create new documents with arbitrary data, and modify existing documents. This represents a significant data exposure risk, potentially leading to sensitive information being compromised or manipulated. The blast radius extends to any system utilizing the vulnerable @delmaredigital/payload-puck plugin within a Payload CMS instance.
This vulnerability was publicly disclosed on 2026-04-08. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to @delmaredigital/payload-puck version 0.6.23 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling the Puck plugin functionality. While not a complete solution, implementing strict input validation on any data received from external sources can help reduce the attack surface. Review and audit all Puck-registered collections and their associated access rules to ensure they are properly configured after the upgrade. After upgrading, confirm the fix by attempting to access Puck endpoints without authentication and verifying that access is denied.
Update the payload-puck plugin to version 0.6.23 or higher to mitigate the vulnerability. This update fixes the missing authorization on the /api/puck/* CRUD endpoints, ensuring that collection-level access controls are applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39397 is a critical remote code execution vulnerability in the @delmaredigital/payload-puck Node.js package for Payload CMS, allowing unauthenticated attackers to bypass access controls and manipulate data.
You are affected if you are using @delmaredigital/payload-puck versions prior to 0.6.23 and are running a Payload CMS instance.
Upgrade to @delmaredigital/payload-puck version 0.6.23 or later. If immediate upgrade is not possible, temporarily disable the Puck plugin.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the Payload CMS official security advisory and the @delmaredigital/payload-puck repository for updates and further information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.