CVE-2026-34751
Published: 01 April 2026
Summary
CVE-2026-34751 is a critical-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Payloadcms Payload. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly manages authenticators including password recovery processes to prevent hijacking via weak mechanisms.
Validates information inputs in the password recovery flow to block external control of assumed-immutable web parameters.
Requires timely identification, reporting, and correction of flaws like this password recovery vulnerability through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Payload CMS enables remote unauthenticated exploitation of password recovery (T1190) to hijack accounts and perform actions as the victim (T1078).
NVD Description
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who…
more
initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Deeper analysisAI
CVE-2026-34751 is a high-severity vulnerability (CVSS 9.1) affecting Payload, a free and open-source headless content management system, specifically in the @payloadcms/graphql and payload components prior to version 3.79.1. The flaw resides in the password recovery flow, linked to CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password). It enables an unauthenticated attacker to hijack the recovery process and execute actions impersonating the legitimate user.
An unauthenticated attacker (AV:N/AC:L/PR:N/UI:N) can exploit this remotely with low complexity and no user interaction required beyond a target user initiating a password reset. By intercepting or manipulating the recovery mechanism, the attacker gains the ability to perform arbitrary actions on behalf of the victim, resulting in high confidentiality (C:H) and integrity (I:H) impacts without availability disruption (A:N).
The issue has been addressed in Payload version 3.79.1 for both @payloadcms/graphql and payload, as detailed in the official GitHub release notes (https://github.com/payloadcms/payload/releases/tag/v3.79.1) and security advisory (https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf). Security practitioners should upgrade to the patched version immediately and review password recovery implementations for similar weaknesses.
Details
- CWE(s)