Primary

Context

Payload CMS Authenticated Server-Side Request Forgery Vulnerability in Upload Functionality

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in Payload CMS versions prior to 3.79.1. This vulnerability allows authenticated users with create or update access to an upload-enabled collection to manipulate the server into making outbound HTTP requests to arbitrary URLs. The issue has been addressed in version 3.79.1.

Impact

Exploitation of this vulnerability allows for authenticated server-side request forgery, where the server is tricked into making HTTP requests on behalf of the attacker, potentially leading to unauthorized access to internal resources or services.

Remediation

Users are advised to upgrade to Payload CMS version 3.79.1 or later. If an immediate upgrade is not possible, restrict create and update access to upload-enabled collections to trusted roles only, and limit outbound network access from the Payload server where possible.

Added: Apr 1, 2026, 8:33 PM

Updated: Apr 1, 2026, 8:33 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

4.8

remediation

8.3

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

4.8

remediation

8.3

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Payload CMS Authenticated Server-Side Request Forgery Vulnerability in Upload Functionality

Vulnerability

Impact

Remediation

Affected Products

Payload

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating