CVE-2026-39397
Published: 07 April 2026
Summary
CVE-2026-39397 is a critical-severity Missing Authorization (CWE-862) vulnerability in Delmaredigital Payload-Puck. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39397 affects the @delmaredigital/payload-puck plugin for PayloadCMS, which integrates the Puck visual page builder. In versions prior to 0.6.23, all CRUD endpoint handlers under /api/puck/* registered by the createPuckPlugin() function invoked Payload's local API with the default overrideAccess: true setting. This bypassed all collection-level access controls, silently ignoring any access options passed to createPuckPlugin() and access rules defined on Puck-registered collections. The vulnerability is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), targeting the exposed /api/puck/* endpoints. Successful exploitation allows arbitrary CRUD operations on Puck-managed collections, resulting in high confidentiality impact (C:H) through unauthorized data access, high integrity impact (I:H) via unauthorized modifications, and low availability impact (A:L), all within unchanged scope (S:U).
The vulnerability is fixed in version 0.6.23 of the payload-puck plugin. Security practitioners should upgrade immediately. Relevant advisories and details are available in the GitHub security advisory (GHSA-65w6-pf7x-5g85), issue tracker (#7), and fixing commit (9148201c6bbfa140d44546438027a2f8a70f79a4).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19921
Vulnerability details
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed…
more
to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes unauthenticated CRUD access to public /api/puck/* endpoints by bypassing collection-level authorization controls in a web application, directly enabling T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates enforcement of approved authorizations for access to system resources, directly preventing the bypass of collection-level access controls on /api/puck/* CRUD endpoints.
Requires timely identification, reporting, and correction of flaws, enabling patching of the overrideAccess: true bypass in payload-puck prior to version 0.6.23.
Applies least privilege to restrict processes and users to necessary accesses, mitigating the impact of unauthorized CRUD operations on Puck-managed collections.