logo

Database

Restricted fields manipulation In payload

Description

payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

    Multiple auth collections configured (e.g., admins + customers)

    Postgres or SQLite database adapter with serial/auto-increment IDs

    Users in different auth collections with the same numeric ID

Not affected:

    @payloadcms/db-mongodb adapter

    Single auth collection environments

    Postgres/SQLite with idType: 'uuid'

Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-255742. NVD-2026-255743. OSV-2026-255744. GHSA-jq29-r496-r9555. GCVE-2026-25574

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.