Payload's SQLite adapter Session Fixation vulnerability - @payloadcms/next

Severity:: Medium

Description

A Session Fixation vulnerability existed in Payload’s SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT.

Recommendation

Update the @payloadcms/next package to the latest compatible version. Followings are version details:

Affected version(s): < 3.44.0
Patched version(s): 3.44.0

References

GHSA-26rv-h2hf-3fw4
cert.pl
CVE-2025-4644
CWE-384
CAPEC-310
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Payload's SQLite adapter Session Fixation vulnerability - payload - CVE-2025-4644
Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
Payload does not invalidate JWTs after log out - @payloadcms/next - CVE-2025-4643
@payloadcms/next has Stored XSS in Admin Panel - CVE-2026-34748

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:: npm; @payloadcms/next

Anything's wrong? Let us know Last updated on August 29, 2025