CVE-2026-34746
Published: 01 April 2026
Summary
CVE-2026-34746 is a high-severity SSRF (CWE-918) vulnerability in Payloadcms Payload. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SSRF vulnerability by requiring timely application of the vendor patch in Payload version 3.79.1.
Validates upload request inputs to block malicious payloads that trigger outbound HTTP requests to arbitrary URLs in the upload functionality.
Enforces least privilege to limit create and update access on upload-enabled collections, preventing low-privilege authenticated users from exploiting the SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF allows forcing outbound requests to arbitrary/internal URLs, directly enabling internal network service discovery (T1046) and cloud metadata API access (T1522) as described in the CVE impacts.
NVD Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause…
more
the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Deeper analysisAI
CVE-2026-34746 is an authenticated Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Payload, a free and open-source headless content management system. The flaw exists in the upload functionality prior to version 3.79.1, where authenticated users with create or update access to an upload-enabled collection can manipulate the server into making outbound HTTP requests to arbitrary URLs. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high confidentiality impact with changed scope due to potential access to internal resources.
An attacker requires low-privilege authenticated access, specifically permissions to create or update items in an upload-enabled collection. Exploitation involves crafting malicious upload requests that trigger SSRF, allowing the server to connect to attacker-controlled or internal endpoints. Successful attacks can lead to high-impact confidentiality breaches, such as scanning internal networks, accessing metadata services, or bypassing firewall restrictions, though integrity and availability remain unaffected.
The issue has been addressed in Payload version 3.79.1, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 3.79.1 or later, review access controls on upload-enabled collections to enforce least privilege, and monitor outbound traffic from Payload instances for anomalous requests. Relevant advisories are available at the Payload GitHub release page and GHSA-6r7f-q7f5-wpx8.
Details
- CWE(s)