payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
- Severity:
- Medium
Description
A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.74.0
- Patched version(s): 3.74.0
References
Related Issues
- Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
- Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing - CVE-2026-1664
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings - CVE-2026-32104
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on February 07, 2026