logo

Database

Lack of data validation - Path Traversal In @payloadcms/storage-r2

Description

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Impact

The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.

Consumers are affected if ALL of these are true:

    Payload version < v3.78.0

    Using client-upload signed-URL endpoints for any supported storage adapter

    Patches

This vulnerability has been patched in v3.78.0. Filename validation has been hardened for client uploads.

Consumers should upgrade to v3.78.0 or later.

Workarounds

Consumers can upgrade:

    Limit access to client-upload signed-URL endpoints to trusted users only.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347502. NVD-2026-347503. OSV-2026-347504. GHSA-frq9-7j6g-v74x5. GCVE-2026-34750

References

1. https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.