CVE-2025-4644 is a session fixation vulnerability identified in the Payload CMS, specifically within its SQLite adapter implementation. The root cause of this vulnerability lies in the reuse of user identifiers during account creation. An attacker can exploit this flaw by first creating a new user account and capturing the associated JSON Web Token (JWT) issued for that account. Subsequently, the attacker deletes the created account; however, the JWT remains valid because the system does not invalidate tokens upon account deletion. When a new user account is created afterward, the system reassigns the same identifier that was previously used by the deleted account. This identifier reuse allows the attacker to reuse the previously captured JWT to authenticate as the new user, effectively hijacking the session and gaining unauthorized access. This vulnerability is classified under CWE-384 (Session Fixation) and affects Payload CMS versions prior to 3.44.0, where the issue has been resolved. The CVSS v4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity and does not require privileges or user interaction, but it does require the attacker to perform specific steps to create and delete accounts to exploit the flaw. The impact on confidentiality and integrity is low to limited, as the attacker can impersonate a user but cannot escalate privileges beyond that user's rights. Availability is not affected. No known exploits are reported in the wild as of the publication date.

For European organizations using Payload CMS, this vulnerability poses a risk of unauthorized access through session fixation, potentially allowing attackers to impersonate legitimate users. This can lead to unauthorized data access, modification, or actions performed under the guise of the compromised user. While the impact is limited to the permissions of the affected user, in environments where user roles have elevated privileges or access to sensitive data, the consequences could be significant. This risk is particularly relevant for organizations managing sensitive content, personal data, or critical business workflows via Payload CMS. Additionally, the persistence of valid JWTs after account deletion could complicate incident response and forensic investigations. Given the medium severity and the ease of exploitation without requiring authentication, European organizations should prioritize patching to prevent potential exploitation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

European organizations should upgrade Payload CMS to version 3.44.0 or later, where this vulnerability is fixed. Until the patch is applied, organizations should implement the following specific mitigations: 1) Monitor and audit account creation and deletion activities to detect suspicious patterns, such as rapid creation and deletion of accounts. 2) Implement additional validation or rate limiting on account creation endpoints to prevent automated abuse. 3) Invalidate JWTs immediately upon account deletion by implementing custom token revocation mechanisms if possible. 4) Review and restrict user permissions to minimize the impact of potential account impersonation. 5) Employ Web Application Firewalls (WAFs) with rules targeting suspicious account management behaviors. 6) Educate administrators and users about the risks of session fixation and encourage prompt reporting of unusual account activities. These targeted actions complement the patch and reduce the window of exposure.