Password Hijack in the Modern Stack: Payload CMS Patches Critical 9.1 CVSS Reset Flaw
Do Son 
The rapid-growth, fullstack Next.js framework Payload—known for giving developers “instant backend superpowers” —is facing a serious security challenge. A critical vulnerability has been identified in the framework’s password recovery system, potentially allowing attackers to hijack the reset process and act on behalf of unsuspecting users.
Tracked as CVE-2026-34751, the flaw carries a staggering CVSS score of 9.1, placing it in the “Critical” category of security threats.
Payload provides an instant TypeScript backend and admin panel that can be used as a headless CMS or a foundation for complex applications. However, researchers discovered a weakness in how the platform handles input during the “forgot password” flow.
The issue stems from unvalidated input in the password recovery endpoints. Specifically, the vulnerability resides in the way the system constructs URLs and validates user-provided data during a reset request. If exploited, an unauthenticated attacker could “perform actions on behalf of a user who initiates a password reset,” effectively compromising the account during its most vulnerable state.
The risk is specific to developers using older versions of the framework who have enabled standard security features. You are likely at risk if you meet the following criteria:
- Your project is running a Payload version earlier than v3.79.1.
- You have any auth-enabled collection (such as a ‘Users’ collection).
- You are utilizing the built-in forgot-password functionality.
The Payload team has moved quickly to address the flaw. The latest update introduces significant security improvements:
- Input Validation: Stricter checks are now in place for data sent to recovery endpoints.
- URL Construction: The logic for generating reset links has been “hardened” to prevent manipulation by external actors.
All users are strongly urged to upgrade to v3.79.1 or later immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
