Primary

Context

Payload CMS Cross-Collection Insecure Direct Object Reference Vulnerability in Preferences Management

Vulnerability

Patched

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability has been identified in Payload CMS versions prior to 3.74.0. This vulnerability exists within the internal 'payload-preferences' collection. In multi-auth collection environments using Postgres or SQLite with default serial or auto-increment IDs, authenticated users from one authentication collection can read and delete preferences of users in different authentication collections, provided their numeric IDs coincide. This issue has been resolved in version 3.74.0.

Impact

Exploitation of this vulnerability allows authenticated users to access and delete preference data across different authentication collections, leading to unauthorized data manipulation.

Remediation

Users should upgrade to Payload CMS version 3.74.0 or later. There is no workaround available other than upgrading.

Added: Feb 6, 2026, 11:36 PM

Updated: Feb 6, 2026, 11:36 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.3

exploitability

5.0

remediation

7.7

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.3

exploitability

5.0

remediation

7.7

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Payload CMS Cross-Collection Insecure Direct Object Reference Vulnerability in Preferences Management

Vulnerability

Impact

Remediation

Affected Products

payload

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating