Skip to content

Update dependency payload to v3.79.1 [SECURITY]#174

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-payload-vulnerability
Open

Update dependency payload to v3.79.1 [SECURITY]#174
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-payload-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 6, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
payload (source) 3.68.23.79.1 age confidence

payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

CVE-2026-25574 / GHSA-jq29-r496-r955

More information

Details

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

  • Multiple auth collections configured (e.g., admins + customers)
  • Postgres or SQLite database adapter with serial/auto-increment IDs
  • Users in different auth collections with the same numeric ID

Not affected:

  • @payloadcms/db-mongodb adapter
  • Single auth collection environments
  • Postgres/SQLite with idType: 'uuid'
Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads

CVE-2026-27567 / GHSA-hhfx-5x8j-f5f6

More information

Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability exists in Payload's external file upload functionality. When processing external URLs for file uploads, insufficient validation of HTTP redirects could allow an authenticated attacker to access internal network resources.

Users are affected if ALL of these are true:

  • Payload version < v3.75.0
  • At least one collection with upload enabled
  • A user has create access to that upload-enabled collection

An authenticated user with upload collection write permissions could potentially access internal services. Response content from internal services could be retrieved through the application.

Patches

This vulnerability has been patched in v3.75.0. Users should upgrade to v3.75.0 or later.

Workarounds

If users cannot upgrade immediately, they can mitigate this vulnerability by disabling external file uploads via the disableExternalFile upload collection option, or by restricting create access on upload-enabled collections to trusted users only.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery

CVE-2026-34751 / GHSA-hp5w-3hxx-vmwf

More information

Details

Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

  • They are using Payload version < v3.79.1 with any auth-enabled collection using the built-in forgot-password functionality.
Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to v3.79.1 or later.

Workarounds

There are no complete workarounds. Upgrading to v3.79.1 is recommended.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Payload has an SQL Injection via Query Handling

CVE-2026-34747 / GHSA-7xxh-373w-35vg

More information

Details

Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

Patches

This issue has been fixed in v3.79.1 and later. Query input validation has been hardened.

Upgrade to v3.79.1 or later.

Workarounds

Until developers can upgrade:

  • Limit access to endpoints that accept dynamic query inputs to trusted users only.
  • Validate or sanitize input from untrusted clients before sending it to query endpoints.

Severity

  • CVSS Score: 8.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Payload has Authenticated SSRF via Upload Functionality

CVE-2026-34746 / GHSA-6r7f-q7f5-wpx8

More information

Details

Impact

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Consumers are affected if ALL of these are true:

  • Payload version < v3.79.1
  • At least one collection with upload enabled
  • An authenticated user has create or update access to that collection
Patches

This vulnerability has been patched in v3.79.1. Users should upgrade to v3.79.1 or later.

Workarounds

Until consumers can upgrade:

  • Restrict create and update access to upload-enabled collections to trusted roles only.
  • Limit outbound network access from your Payload server where possible.

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Payload has a CSRF Protection Bypass in Authentication Flow

CVE-2026-34749 / GHSA-p6mr-xf3r-ghq4

More information

Details

Impact

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Consumers are affected if ALL of these are true:

  • Payload version < v3.79.1
  • serverURL is configured
Patches

This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.

Consumers should upgrade to v3.79.1 or later.

Workarounds

There is no complete workaround without upgrading.

If consumers cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

payloadcms/payload (payload)

v3.79.1

Compare Source

🐛 Bug Fixes
⚡ Performance
  • richtext-lexical: 3-15x less main thread blocking via centralized toolbar state (#​15832) (2bdf7ce)
📚 Documentation
  • correct type name in editMenuItems client component example (#​15904) (03b20d0)
  • adds req to available args and wraps examples with proper String type conversions in nested-docs (#​15931) (d2a0740)
  • adds docs for logger config (#​15927) (46e43fc)
  • fix links to virtual relationship documentation in both Blocks and Array field documentation (#​15888) (fff60c8)
  • broken anchor link in blocks field table (#​15887) (36c051a)
  • examples: clarify MongoDB prerequisites in Mongo-backed examples (#​15860) (2aa973f)
  • plugin-mcp: updates MCP plugin documentation (#​15729) (b97b4e7)
🧪 Tests
  • adjust total test count to exclude todo tests in summary output (#​15943) (e46daec)
  • fixes pagination and sorting list-view tests due to hydration timing issues (#​15925) (b0f00c4)
  • flaky timeout when clicking Create New button in versions test suite (#​15850) (3fb10e1)
🏡 Chores
🤝 Contributors

v3.79.0

Compare Source

🚀 Features
  • richtext-lexical: separate configuration for lexical block icons (#​15632) (f0498f2)
  • richtext-lexical: upgrade lexical from 0.35.0 to 0.41.0 (#​15760) (ba3bd74)
  • translations: add i18n translations for modular dashboards (#​15004) (cef2838)

Separate Block Icon Configuration (richtext-lexical) — Configure different images for Lexical block icons and block drawer thumbnails independently. Previously, imageURL served both contexts, forcing a compromise between a good 20x20px icon and a good drawer thumbnail. The new images property supports separate icon and thumbnail values with automatic fallback. Fully backwards compatible — imageURL still works but is deprecated. #​15632

image 
const QuoteBlock: Block = {
  slug: 'quote',
  images: {
    icon: 'https://example.com/icons/quote-20x20.svg',
    thumbnail: { url: 'https://example.com/thumbnails/quote-480x320.jpg', alt: 'Quote block' },
  },
  fields: [...],
}

Lexical Upgrade 0.35.0 → 0.41.0 (richtext-lexical) — Upgrades the Lexical rich text editor dependency from v0.35.0 to v0.41.0. Includes upstream fixes like normalizeMarkdown (facebook/lexical#7812). All Lexical breaking changes are handled internally by Payload — no action required for standard usage. If you installed lexical manually, update it to 0.41.0 (though using the re-exported versions from @payloadcms/richtext-lexical/lexical/* is recommended). #​15760

Modular Dashboard Translations (translations) — Adds i18n translation support for the Modular Dashboards feature, covering all dashboard widget buttons and error messages. Previously, dashboard UI elements lacked translation keys, making them inaccessible for non-English users. Also updates the automatic translation script to use GPT-4.1 for improved cost efficiency. #​15004

image
🐛 Bug Fixes
  • restoreVersion validation for localized required fields (#​15821) (e899182)
  • draft doc validation when duplicating docs (#​15816) (f470699)
  • plugin-ecommerce: pass req to Payload API calls in Stripe adapter (#​15839) (74799ea)
  • plugin-import-export: automatically inherit locale and limit from URL queries (#​15812) (ee083f0)
  • plugin-import-export: fix imports with locales in a different column order than exported (#​15808) (410912c)
  • plugin-import-export: fix exports in other non-latin scripts being broken when opened in excel (#​15813) (d931894)
  • ui: drag and drop not working for sortable hasMany fields (#​15845) (2c7ef3f)
  • ui: prevent false positive stale data modal on autosave-enabled documents (#​15817) (6aff717)
  • ui: typo in CodeEditor export statement (#​15795) (c5b2a91)
🛠 Refactors
  • rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)
📚 Documentation
🧪 Tests
  • update suites selected by default in runTestsWithSummary (#​15789) (07f2f05)
🏡 Chores
  • prevent dev server from dirtying tracked files (#​15826) (cb6f426)
  • plugin-search: clean up .DS_Store file and resulting empty images directory (#​14506) (f6f73dd)
⚠️ BREAKING CHANGES

  • rename widget ComponentPath to Component for consistency (#​15780) (f7d0d04)

    • Renames Widget.ComponentPath to Widget.Component and types it as PayloadComponentinstead ofstring`
    • This aligns dashboard widgets with every other component reference in (collections, globals, fields, admin components) - none of them path in the property name, and all of them are typed as PayloadComponent
    • Enables new typescript plugin to work for widget paths (the plugin uses PayloadComponent contextual type detection - string-typed properties were invisible to it)

  • ui: typo in CodeEditor export statement (#​15795) (c5b2a91)

🤝 Contributors

v3.78.0

Compare Source

🚀 Features
Feature Details

TypeScript Plugin for Component Paths - New @payloadcms/typescript-plugin validates PayloadComponent import paths directly in your IDE. It checks that referenced files and exports exist, provides autocomplete for file paths and export names, supports go-to-definition on component path strings, and understands all Payload path conventions including absolute paths, relative paths, tsconfig aliases, and package imports. #​15779

screenshot.2026-02-26.at.15.55.40.mp4 
pnpm add -D @&#8203;payloadcms/typescript-plugin
{
  "compilerOptions": {
    "plugins": [{ "name": "next" }, { "name": "@&#8203;payloadcms/typescript-plugin" }]
  }
}

Trash Out of Beta with Granular Delete Access - Trash is now a stable feature. Delete access control can now distinguish between trashing and permanently deleting — allowing you to permit users to soft-delete documents while restricting permanent deletion to admins. When data.deletedAt is being set, the operation is a trash; otherwise it's a permanent delete. #​15210

import type { CollectionConfig } from 'payload'

export const Posts: CollectionConfig = {
  slug: 'posts',
  trash: true,
  access: {
    delete: ({ req: { user }, data }) => {
      // Not logged in - no access
      if (!user) {
        return false
      }

      // Admins can do anything (trash or permanently delete)
      if (user.roles?.includes('admin')) {
        return true
      }

      // Regular users: check what operation they're attempting
      // If data.deletedAt is being set, it's a trash operation - allow it
      if (data?.deletedAt) {
        return true
      }

      // Otherwise it's a permanent delete - deny for non-admins
      return false
    },
  },
  fields: [
    // ...
  ],
}

Widget Fields (next, ui) - Dashboard widgets can now declare configurable fields, similar to Blocks. Widget data is editable from a new drawer UI when in dashboard editing mode. Full type generation is included — WidgetInstance<T> is generic with typed data and width, and WidgetServerProps is generic so widget components receive typed widgetData. #​15700

Screen.Recording.2026-02-23.at.16.25.40.mov 
import { buildConfig } from 'payload'

export default buildConfig({
  admin: {
    dashboard: {
      widgets: [
        {
          slug: 'sales-summary',
          ComponentPath: './components/SalesSummary.tsx#default',
          fields: [
            { name: 'title', type: 'text' },
            {
              name: 'timeframe',
              type: 'select',
              options: ['daily', 'weekly', 'monthly', 'yearly'],
            },
            { name: 'showTrend', type: 'checkbox' },
          ],
          minWidth: 'small',
          maxWidth: 'medium',
        },
      ],
    },
  },
})
import type { WidgetServerProps } from 'payload'

import type { SalesSummaryWidget } from '../payload-types'

export default async function SalesSummaryWidgetComponent({
  widgetData,
}: WidgetServerProps<SalesSummaryWidget>) {
  const title = widgetData?.title ?? 'Sales Summary'
  const timeframe = widgetData?.timeframe ?? 'monthly'

  return (
    <div className="card">
      <h3>
        {title} ({timeframe})
      </h3>
    </div>
  )
}

MCP Plugin Out of Beta (plugin-mcp) - @payloadcms/plugin-mcp is now stable and ready for production use. #​15711

Virtual Field Filtering in MCP (plugin-mcp) - Virtual fields (virtual: true) are now automatically stripped from MCP tool input schemas and filtered from parsed data before create, update, and updateGlobal operations. This prevents non-stored fields from appearing as accepted MCP parameters. #​15680

Markdown Transformer for Upload Nodes (richtext-lexical) - Upload nodes are now properly converted when using convertLexicalToMarkdown. Previously, upload nodes were silently dropped during markdown conversion. Now populated image uploads output ![alt text](/uploads/image.jpg), non-image uploads output link syntax, and non-populated uploads output a reference placeholder so data is never lost. #​15630

Dashed Button Style (ui) - Adds a new dashed button style variant. Also replaces box-shadow with border on all buttons and fixes icon-only button padding. #​15728

Button styles overview

Editable Query Presets from Form View (ui) - Query presets can now be created and edited directly from the document form view using a full WhereBuilder, column picker, and groupBy selector — no longer requiring the list view to build queries first. #​15657

Screen.Recording.2026-02-17.at.18.15.34.mov
🐛 Bug Fixes
  • getFieldsToSign crashes when user missing group/tab fields (#​15775) (9f0c101)
  • improve mobile touch support for dnd (#​15771) (418bb92)
  • prevent silent data overwrites on concurrent edits (#​15749) (7a3f43f)
  • preserve block metadata in mergeLocalizedData and filterDataToSelectedLocales (#​15715) (6557292)
  • return 400 for malformed JSON request bodies (#​15706) (4861fa1)
  • globals not updating updatedAt when saving drafts (#​15764) (df17cb1)
  • return early if pasteURL is not defined (#​15748) (23d52a0)
  • prevent req.file leak between sequential duplicate() calls on upload collections (#​15620) (2baea2e)
  • sanitize filenames in storage adapters (#​15746) (45bd2f1)
  • throw error for unknown query operators (#​15739) (08226db)
  • preserve locale data in unnamed groups with localizeStatus (#​15658) (38b8c68)
  • next: conditionally query snapshot field based on localization (#​15693) (d5706ee)
  • plugin-import-export: update docs on jobs and basic usage as well as visibility (#​15695) (a40210c)
  • plugin-mcp: use inline block schemas in JSON output (#​15675) (a66e844)
  • plugin-multi-tenant: hasMany tenant fields double-wrap arrays in filterOptions (#​15709) (aaddeac)
  • plugin-multi-tenant: return false instead of query when no tenants (#​15679) (f5a5bd8)
  • richtext-lexical: bump acorn to resolve type mismatch with transitive dep (#​15791) (801e851)
  • richtext-lexical: link markdown regex should not match similar looking image markdown (#​15713) (0a0afb0)
  • richtext-lexical: use headingLevel in danish heading label (#​15685) (ad4c0f6)
  • richtext-lexical: strip server-only properties from blocks in lexical client schema map (#​15756) (c05ace2)
  • templates: ecommerce find my order access functionality to use email (#​15736) (b317eaa)
  • ui: array field add button margin not applying consistently (#​15773) (ee298f5)
  • ui: respect custom Cell components on richText fields in list view (#​15762) (139cf3e)
  • ui: use correct translation key for collection version restore modal (#​15757) (c1892eb)
  • ui: encode HTML special characters in version diff view (#​15747) (30fee83)
  • ui: flash of border on list selection buttons (#​15735) (7f3c6c8)
🛠 Refactors
🎨 Styles
  • richtext-lexical: lists and quotes have inconsistent letter spacing (#​15682) (f2397a8)
🧪 Tests
📝 Templates
  • fix cloudflare logger error in with-cloudflare-d1 template (#​15752) (8791a72)
  • ecommerce add missing access control on collections (#​15744) (c74d91d)
  • fix ecommerce webhooks url and update docs on using stripe webhooks (#​15681) (677596c)
🏡 Chores
🤝 Contributors

v3.77.0

Compare Source

🚀 Features
Feature Details

Local API Depth Consistency - The depth option passed to Local API calls like payload.find() is now automatically set on req.query.depth. Previously, hooks relying on req.query.depth would behave differently between Local API and REST/GraphQL calls unless you manually passed req: { query: { depth: x } } in addition to depth: x. This change ensures consistent behavior across all API methods. #​15023

Custom ID Support in db.create (db-*) - New customID argument on payload.db.create allows creating documents with a specific ID without requiring a custom ID field in your collection schema. #​15653

payload.db.create({ collection: 'posts', customID: 'ce98d6c4-c3ab-45de-9dfc-bf33d94cc941', data: { } })

MCP Plugin Migration (plugin-mcp) - Migrates from the deprecated @vercel/mcp-adapter to mcp-handler and bumps @modelcontextprotocol/sdk to 1.25.2 addressing a security vulnerability. Exposes new handler options: disableSse, onEvent, and redisUrl. #​15661

import { mcpPlugin } from '@&#8203;payloadcms/plugin-mcp'

export default buildConfig({
  plugins: [
    mcpPlugin({
      // Optional: Enable SSE transport (disabled by default)
      disableSse: false,
      // Optional: Redis URL for SSE session management (defaults to REDIS_URL env)
      redisUrl: 'redis://localhost:6379',
      // Optional: Track MCP events for analytics/debugging
      onEvent: (event) => {
        console.log('MCP event:', event)
      },
    }),
  ],
})
🐛 Bug Fixes
  • hasMany text fields cannot be filtered with contains operator (#​15671) (4513a05)
  • use consistent empty state styling between list and folder views (#​15555) (8953b37)
  • populate previousValue correctly in afterChange hooks for nested lexical fields (#​15623) (1cc3bb9)
  • add i18n support for dashboard edit mode buttons (#​15564) (818e31d)
  • next: handle undefined fieldTab in version diff tabs (#​15590) (bbacab8)
  • plugin-cloud-storage: ensure file data persists across operations (#​15570) (6af3673)
  • plugin-cloud-storage: generateFileURL only ran when disablePayloadAccessControl was true (#​15667) (6c5611c)
  • plugin-import-export: remove deprecated import (#​15666) (733b1df)
  • plugin-import-export: export and import issues when using custom IDs (#​15518) (7e2a3ab)
  • plugin-import-export: columns being duplicated when using toCSV hook (#​15597) (28e07dc)
  • plugin-mcp: resolve union type fields failing in update tool (#​15660) (9ae89dd)
  • plugin-multi-tenant: improve translation for "Tenant" (use "Mandant" instead of "Mieter") (#​15537) (4d4033b)
  • plugin-multi-tenant: tenant selector not appearing after login (#​15617) (dd09f67)
  • storage-r2: build error due to types issue in R2 Bucket type (#​15670) (7d1e233)
  • ui: fix broken polymorphic join edit drawer (#​15621) (d450e99)
📚 Documentation
🧪 Tests
🏡 Chores

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-payload-vulnerability branch from 845b126 to 061c471 Compare February 25, 2026 02:06
@renovate renovate Bot changed the title Update dependency payload to v3.74.0 [SECURITY] Update dependency payload to v3.75.0 [SECURITY] Feb 25, 2026
@renovate renovate Bot force-pushed the renovate/npm-payload-vulnerability branch from 061c471 to 79054a8 Compare March 13, 2026 11:50
@renovate renovate Bot changed the title Update dependency payload to v3.75.0 [SECURITY] Update dependency payload to v3.75.0 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-payload-vulnerability branch March 27, 2026 02:04
@renovate renovate Bot changed the title Update dependency payload to v3.75.0 [SECURITY] - autoclosed Update dependency payload to v3.75.0 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-payload-vulnerability branch 3 times, most recently from 6b74809 to 60a7582 Compare April 1, 2026 21:12
@renovate renovate Bot changed the title Update dependency payload to v3.75.0 [SECURITY] Update dependency payload to v3.79.1 [SECURITY] Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-payload-vulnerability branch from 60a7582 to 7426d35 Compare April 8, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants