CVE-2026-25574

EPSS 0.19%
Veröffentlicht 06.02.2026 21:04:48
Zuletzt bearbeitet 20.02.2026 20:14:13
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Payloadcms ≫ Payload SwPlatformnode.js Version < 3.74.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.091

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-25574

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25574

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25574

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25574