Payload CMS JSON Web Token Session Management Vulnerability

A vulnerability exists in Payload CMS versions prior to 3.44.0, where JSON Web Tokens (JWT) used for authentication are not invalidated upon logout. This allows an attacker to reuse a stolen or intercepted token until it expires, which by default is set to two hours but can be modified. Additionally, a session fixation vulnerability was identified in Payload's SQLite adapter, stemming from identifier reuse during account creation. An attacker could exploit this by creating a new account, saving its JWT, deleting the account without invalidating the token, and then having the next user receive the same identifier, thus allowing authentication as that user.

Impact

Exploitation of this vulnerability allows for unauthorized access and actions on behalf of the user associated with the JWT, until the token expires.

Remediation

Users can update to Payload CMS version 3.44.0 or later to address this vulnerability.