payload
修复版本
3.79.2
3.79.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Payload, a Node.js component. This vulnerability allows authenticated users with the necessary permissions to induce the server to make outbound HTTP requests to arbitrary URLs. The issue impacts Payload versions prior to 3.79.1 and requires specific configuration – upload-enabled collections and user access with 'create' or 'update' privileges.
The SSRF vulnerability allows an authenticated attacker to bypass security controls and potentially access internal resources or external services that are not directly accessible from the public internet. An attacker could leverage this to scan internal networks, interact with internal APIs, or even exfiltrate sensitive data if the server has access to such data. The impact is amplified if the server is configured to interact with cloud services or other external APIs, as the attacker could potentially manipulate these interactions. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to access resources it shouldn't.
CVE-2026-34746 was publicly disclosed on April 1, 2026. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations using Payload in their Node.js applications are at risk, particularly those with upload functionality enabled and where authenticated users have 'create' or 'update' access to those collections. Shared hosting environments utilizing Payload with default configurations are also potentially vulnerable.
• nodejs / server:
npm list payload• nodejs / server:
npm audit payload• nodejs / server:
grep -r 'http.request' ./node_modules/payloaddisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34746 is to upgrade Payload to version 3.79.1 or later. If immediate upgrading is not feasible, consider temporarily disabling the upload functionality for collections where it is enabled. As a secondary measure, implement strict input validation and sanitization on any user-supplied URLs used in outbound requests. Web application firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. After upgrading, verify the fix by attempting to trigger an outbound HTTP request through the upload functionality with a known malicious URL; the request should be blocked or denied.
Actualice Payload CMS a la versión 3.79.1 o superior. Esta versión contiene la corrección para la vulnerabilidad SSRF. Se recomienda realizar la actualización lo antes posible para mitigar el riesgo.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34746 is a HIGH severity SSRF vulnerability affecting Payload versions before 3.79.1, allowing authenticated users to trigger outbound HTTP requests.
You are affected if you use Payload version < 3.79.1, have upload-enabled collections, and authenticated users have 'create' or 'update' access.
Upgrade Payload to version 3.79.1 or later. Temporarily disable upload functionality if upgrading is not immediately possible.
No active exploitation has been publicly confirmed as of this writing, but monitoring is recommended.
Refer to the Payload project's official security advisories and release notes for the most up-to-date information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。