Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery

Description

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Recommendation

Update the @payloadcms/graphql package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.79.1
• Patched version(s): 3.79.1

References

• GHSA-hp5w-3hxx-vmwf
• CVE-2026-34751
• CWE-472
• CWE-640
• CAPEC-310
• OWASP 2021-A4
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery - payload - CVE-2026-34751
• Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
• OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover - CVE-2026-44720
• StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation - CVE-2026-32103

You might also like:

How do hackers hack websites?

Should I Hide My Admin Login Page? Yes, You Should!

Update Cheat Sheet for Developers

Tags:

npm

@payloadcms/graphql