logo

Database

Improper authorization control for web services In @delmaredigital/payload-puck

Description

@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Impact

All /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints.

An unauthenticated remote attacker could:

    List all documents (including drafts) in any Puck-registered collection

    Read any document by ID (including drafts)

    Create new documents with arbitrary field values

    Update any document (including bypassing field-level access rules)

    Delete any document

    Read version history and restore arbitrary versions

In typical installations, the affected scope is the collection backing the website's pages (default slug: pages). For most users this means an attacker could read, modify, create, or delete every page on the website — including unpublished drafts and version history.

Scope is limited to collections explicitly registered with createPuckPlugin() — the endpoints validate the collection slug against an allowlist, so attackers cannot pivot to other Payload collections such as users, media, or business data not exposed to the plugin. The auto-created puck-templates, puck-ai-prompts, and puck-ai-context collections are also outside the allowlist; they have their own dedicated endpoints with separate authentication.

Other endpoints in the plugin (AI, styles, prompts, context, and the Next.js API route factories in src/api/) were unaffected — they had their own authentication checks.

Patches

Fixed in 0.6.23. All endpoint handlers in src/endpoints/index.ts now pass overrideAccess: false and forward req to Payload's local API, so collection-level access rules are evaluated against the current user.

Workarounds

If you cannot upgrade immediately, place a reverse-proxy or middleware authentication check in front of /api/puck/* to require an authenticated session before requests reach the plugin's handlers.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-393972. NVD-2026-393973. OSV-2026-393974. GHSA-65w6-pf7x-5g855. GCVE-2026-39397

References

1. https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g852. https://github.com/delmaredigital/payload-puck/issues/73. https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.