Payload has Authenticated SSRF via Upload Functionality

Description

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Recommendation

Update the payload package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.79.1
• Patched version(s): 3.79.1

References

• GHSA-6r7f-q7f5-wpx8
• CVE-2026-34746
• CWE-918
• CAPEC-310
• OWASP 2021-A10
• OWASP 2021-A6

Related Issues

• Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget - CVE-2026-45012
• Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-gcs - CVE-2026-34750
• Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-azure - CVE-2026-34750
• Astro has Full-Read SSRF in error rendering via Host: header injection - CVE-2026-25545

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

payload