Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Severity:: Medium

Description

The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.

Recommendation

Update the @payloadcms/storage-s3 package to the latest compatible version. Followings are version details:

Affected version(s): < 3.78.0
Patched version(s): 3.78.0

References

GHSA-frq9-7j6g-v74x
CVE-2026-34750
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-azure - CVE-2026-34750
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-r2 - CVE-2026-34750
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints - @payloadcms/storage-gcs - CVE-2026-34750
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; @payloadcms/storage-s3

Anything's wrong? Let us know Last updated on April 01, 2026