Fluid Attacks Database

Description

Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery

Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in forgot-password functionality.

Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to v3.79.1 or later.

Workarounds

There are no complete workarounds. Upgrading to v3.79.1 is recommended.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@payloadcms/graphql	>=0 <3.79.1	3.79.1
npm	payload	>=0 <3.79.1	3.79.1

Aliases

1. CVE-2026-347512. NVD-2026-347513. OSV-2026-347514. GHSA-hp5w-3hxx-vmwf5. GCVE-2026-34751

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf2. https://github.com/payloadcms/payload/releases/tag/v3.79.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.