CVE-2026-34751: CVE-2026-34751: Unvalidated Input in Password Recovery Endpoints in Payload CMS

#security #cve #cybersecurity

CVE-2026-34751: Unvalidated Input in Password Recovery Endpoints in Payload CMS

Vulnerability ID: CVE-2026-34751
CVSS Score: 9.1
Published: 2026-04-01

Payload CMS prior to version 3.79.1 contains a critical vulnerability in its password recovery endpoints. This flaw allows an unauthenticated attacker to manipulate password reset links via Host header injection and exploit partial token matches in database adapters, leading to unauthorized account takeover.

TL;DR

A critical flaw in Payload CMS (< 3.79.1) permits unauthenticated attackers to achieve account takeover through Host header injection in password reset emails and database query partial-match misconfigurations.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-640
Attack Vector: Network
CVSS Score: 9.1 (Critical)
Exploit Status: Proof of Concept (PoC)
CISA KEV: Not Listed
Affected Component: Password Recovery Endpoints

Affected Systems

Payload CMS
payload package
@payloadcms/graphql package
payload: < 3.79.1 (Fixed in: 3.79.1)
@payloadcms/graphql: < 3.79.1 (Fixed in: 3.79.1)

Code Analysis

Commit: fba2438

Fix contains operator on hasMany select fields

Commit: fe36dde

Correct query limit on polymorphic joins

Mitigation Strategies

Upgrade Payload CMS to version 3.79.1 or later.
Hardcode the serverURL property in the Payload configuration.
Define trustedOrigins to restrict external redirections.

Remediation Steps:

Update the package.json file to require payload and @payloadcms/graphql version 3.79.1.
Run npm install or yarn install to apply the updates.
Edit the payload.config.ts file to explicitly define the serverURL property.
Edit the payload.config.ts file to populate the trustedOrigins array.
Restart the Payload CMS service.

References

Read the full report for CVE-2026-34751 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community