← Back
2026-02-06 21:4CVE-2026-25574GitHub_M
PUBLISHED5.2CWE-639

Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.

Problem type

Affected products

payloadcms

payload

< 3.74.0 - AFFECTED

References

https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955

https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-jq29-r496-r955

payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

https://github.com/advisories/GHSA-jq29-r496-r955

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

  • Multiple auth collections configured (e.g., admins + customers)
  • Postgres or SQLite database adapter with serial/auto-increment IDs
  • Users in different auth collections with the same numeric ID

Not affected:

  • @payloadcms/db-mongodb adapter
  • Single auth collection environments
  • Postgres/SQLite with idType: 'uuid'

Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

github.com

https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-25574

github.com

https://github.com/advisories/GHSA-jq29-r496-r955

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-25574
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-25574",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-02-06T21:04:48.036Z",
    "dateReserved": "2026-02-03T01:02:46.714Z",
    "datePublished": "2026-02-06T21:04:48.036Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-02-06T21:04:48.036Z"
      },
      "title": "Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)",
      "descriptions": [
        {
          "lang": "en",
          "value": "Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0."
        }
      ],
      "affected": [
        {
          "vendor": "payloadcms",
          "product": "payload",
          "versions": [
            {
              "version": "< 3.74.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "cweId": "CWE-639",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955",
          "name": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}