logo

Database

Cross-site request forgery In payload

Description

Payload has a CSRF Protection Bypass in Authentication Flow

Impact

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Consumers are affected if ALL of these are true:

    Payload version < v3.79.1

    serverURL is configured

Patches

This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.

Consumers should upgrade to v3.79.1 or later.

Workarounds

There is no complete workaround without upgrading.

If consumers cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347492. NVD-2026-347493. OSV-2026-347494. GHSA-p6mr-xf3r-ghq45. GCVE-2026-34749

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-p6mr-xf3r-ghq42. https://github.com/payloadcms/payload/releases/tag/v3.79.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.