Payload has a CSRF Protection Bypass in Authentication Flow

Description

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Recommendation

Update the payload package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.79.1
• Patched version(s): 3.79.1

References

• GHSA-p6mr-xf3r-ghq4
• CVE-2026-34749
• CWE-352
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
• OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover - CVE-2026-44720
• Parse Server has a password reset token single-use bypass via concurrent requests - CVE-2026-32943
• Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Tags:

npm

payload