Payload has a CSRF Protection Bypass in Authentication Flow

Description

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Recommendation

Update the payload package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.79.1
• Patched version(s): 3.79.1

References

• GHSA-p6mr-xf3r-ghq4
• CVE-2026-34749
• CWE-352
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• SillyTavern has Authentication Bypass via SSO Header Injection - CVE-2026-44649
• @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass - CVE-2026-40073
• Parse Server has role escalation and CLP bypass via direct `_Join` table write - CVE-2026-30966
• payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) - CVE-2026-25574

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

payload