Primary

Context

Payload CMS Session Fixation Vulnerability in SQLite Adapter

Vulnerability

Patched

A session fixation vulnerability has been identified in Payload CMS's SQLite adapter, affecting all versions prior to 3.44.0. The issue arises from the reuse of identifiers during account creation, allowing an attacker to exploit the JSON Web Token (JWT) authentication system. An attacker could create a new account, save the associated JWT, and then delete the account without invalidating the token. Consequently, the next user to create an account would receive the same identifier, enabling the attacker to reuse the JWT and impersonate that user.

Impact

Exploitation of this vulnerability allows for session fixation, where an attacker can reuse a JWT to authenticate as another user and perform actions on their behalf.

Remediation

Users can upgrade to Payload CMS version 3.44.0 or later to address this vulnerability.

Added: Aug 29, 2025, 10:18 AM

Updated: Aug 29, 2025, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Payload CMS Session Fixation Vulnerability in SQLite Adapter

Vulnerability

Impact

Remediation

Affected Products

Payload

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating