payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
- Severity:
- Medium
Description
A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.74.0
- Patched version(s): 3.74.0
References
Related Issues
- Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
- Auth.js SDK has Improper Permission Checking - CVE-2026-42280
- CyberChef has a Cross-site Scripting issue - CVE-2026-42615
- Payload has a CSRF Protection Bypass in Authentication Flow - CVE-2026-34749
You might also like:
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on February 07, 2026