logo

Database

SQL injection - Code In @payloadcms/drizzle

Description

@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Impact

When querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL Injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking.

Users are affected if ALL of these are true:

    Payload version < v3.73.0

    Using a Drizzle-based database adapter (@payloadcms/drizzle as dependency):

      @payloadcms/db-postgres

      @payloadcms/db-vercel-postgres

      @payloadcms/db-sqlite

      @payloadcms/db-d1-sqlite

    At least one accessible collection that has a type: 'json' or type: 'richText' field where access.read returns anything other than false (true or Where constraint)

Users are NOT affected if:

    Using @payloadcms/db-mongodb

    No JSON or richText fields exist in any collection

    All JSON/richText fields have access: { read: () => false }

Patches

Upgrade to Payload v3.73.0 or later.

Workarounds

If a project cannot upgrade immediately, add access: { read: () => false } to all JSON and richText fields as a temporary mitigation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-255442. NVD-2026-255443. OSV-2026-255444. GHSA-xx6w-jxg9-2wh85. GCVE-2026-25544

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.