@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck
- Severity:
- High
Description
All /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload’s local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints.
Recommendation
Update the @delmaredigital/payload-puck package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.6.23
- Patched version(s): 0.6.23
References
Related Issues
- Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls - CVE-2026-42856
- Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
- StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts - CVE-2026-32106
- Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, a - CVE-2026-45717
You might also like:
- Tags:
- npm
- @delmaredigital/payload-puck
Anything's wrong? Let us know Last updated on April 08, 2026