logo

Database

Server-side request forgery (SSRF) In payload

Description

Payload has Authenticated SSRF via Upload Functionality

Impact

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Consumers are affected if ALL of these are true:

    Payload version < v3.79.1

    At least one collection with upload enabled

    An authenticated user has create or update access to that collection

Patches

This vulnerability has been patched in v3.79.1. Users should upgrade to v3.79.1 or later.

Workarounds

Until consumers can upgrade:

    Restrict create and update access to upload-enabled collections to trusted roles only.

    Limit outbound network access from your Payload server where possible.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347462. NVD-2026-347463. OSV-2026-347464. GHSA-6r7f-q7f5-wpx85. GCVE-2026-34746

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-6r7f-q7f5-wpx82. https://github.com/payloadcms/payload/releases/tag/v3.79.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.