CVE-2026-34751
Published: 01 April 2026
Summary
CVE-2026-34751 is a critical-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Payloadcms Payload. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-34751 is a high-severity vulnerability (CVSS 9.1) affecting Payload, a free and open-source headless content management system, specifically in the @payloadcms/graphql and payload components prior to version 3.79.1. The flaw resides in the password recovery flow, linked to CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). It enables an unauthenticated attacker to hijack the recovery process and execute actions impersonating the legitimate user.
An unauthenticated attacker (AV:N/AC:L/PR:N/UI:N) can exploit this remotely with low complexity and no user interaction required beyond a target user initiating a password reset. By intercepting or manipulating the recovery mechanism, the attacker gains the ability to perform arbitrary actions on behalf of the victim, resulting in high confidentiality (C:H) and integrity (I:H) impacts without availability disruption (A:N).
The issue has been addressed in Payload version 3.79.1 for both @payloadcms/graphql and payload, as detailed in the official GitHub release notes (https://github.com/payloadcms/payload/releases/tag/v3.79.1) and security advisory (https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf). Security practitioners should upgrade to the patched version immediately and review password recovery implementations for similar weaknesses.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17991
Vulnerability details
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who…
more
initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Payload CMS enables remote unauthenticated exploitation of password recovery (T1190) to hijack accounts and perform actions as the victim (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly manages authenticators including password recovery processes to prevent hijacking via weak mechanisms.
Validates information inputs in the password recovery flow to block external control of assumed-immutable web parameters.
Requires timely identification, reporting, and correction of flaws like this password recovery vulnerability through patching.