CVE-2026-34751：Payload CMS GraphQL 密码重置漏洞

Payload的密码恢复流程中存在一个漏洞。未经身份验证的攻击者可能能够代表发起密码重置的用户执行操作。这归因于恢复流程中输入验证和URL构造不足。如果攻击者能够操纵这些方面，他们可能无需知道用户的当前密码即可破坏用户帐户。

Organizations and individuals using Payload with authentication enabled and relying on the built-in forgot-password functionality are at risk. This includes those deploying Payload in shared hosting environments or legacy configurations where upgrading may be challenging. Specifically, users who haven't implemented robust input validation or URL sanitization practices are particularly vulnerable.

• nodejs / server: Monitor Payload application logs for unusual password reset requests originating from unexpected IP addresses.

grep 'password reset request' /var/log/payload/app.log | grep -v 'your_expected_ip_range'

• nodejs / server: Use process monitoring tools to ensure Payload is running version 3.79.1 or later.

node -v

• generic web: Attempt to trigger the password reset flow for various user accounts and observe the resulting URLs for any signs of manipulation or unexpected behavior. Use curl to inspect the URL generated during the password reset process.

curl 'https://your-payload-instance/[email protected]'

1. 2026-04-01Disclosure

   disclosure

1. 已保留2026-03-30
2. 发布日期2026-04-01
3. 修改日期2026-04-08
4. EPSS 更新日期2026-04-09

为了减轻此风险，我们强烈建议升级到Payload版本3.79.1或更高版本。此更新包括强化输入验证和URL构造，从而增强了密码恢复流程的安全性。如果无法立即升级，则暂时禁用“忘记密码”功能可能是一种临时措施，但并非理想。