DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27567: Payload CMS: When 'Safe' URLs Take a Detour (CVE-2026-27567)

#security #cve #cybersecurity

Payload CMS: When 'Safe' URLs Take a Detour (CVE-2026-27567)

Vulnerability ID: CVE-2026-27567
CVSS Score: 6.5
Published: 2026-02-24

Payload CMS, a darling of the headless CMS world, recently patched a Server-Side Request Forgery (SSRF) vulnerability that perfectly illustrates why trusting HTTP clients to 'do the right thing' is a dangerous game. The flaw lay in the 'Upload from URL' feature—a convenient tool for content editors that inadvertently became a proxy for attackers to tour the internal network. While the system diligently checked the initial URL for safety, it failed to account for the HTTP client's enthusiasm for following redirects. This allowed authenticated attackers to bypass allowlists and access local services or cloud metadata by simply bouncing the request through a malicious server.

TL;DR

Authenticated SSRF in Payload CMS < 3.75.0 via the 'Upload from URL' feature. The application validated the initial URL but automatically followed HTTP redirects (302) to restricted internal targets (like 169.254.169.254). Fixed by implementing manual redirect handling.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 6.5 (Medium)
  • Impact: Confidentiality, Integrity
  • Permissions: Authenticated (Create Access)
  • Status: Patched

Affected Systems

  • Payload CMS
  • Payload CMS: < 3.75.0 (Fixed in: 3.75.0)

Code Analysis

Commit: 1041bb6

feat: handle redirects manually in getExternalFile

fetch(url, { redirect: 'manual' }) // Manual handling added
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Payload CMS to version 3.75.0+
  • Disable 'Upload from URL' functionality in collection configs
  • Implement Egress Filtering to block internal IP ranges
  • Enforce IMDSv2 on cloud instances to mitigate metadata theft

Remediation Steps:

  1. Check your package.json for the payload version.
  2. Run npm install payload@latest or yarn upgrade payload.
  3. Verify the version is >= 3.75.0.
  4. Restart the application server.

References

Read the full report for CVE-2026-27567 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)