CVE-2026-25574 is a medium severity authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Payload CMS, a free and open-source headless content management system. The flaw exists in versions prior to 3.74.0 within the payload-preferences internal collection. In environments where multiple authentication collections are used alongside Postgres or SQLite databases configured with default serial or auto-increment numeric IDs, a collision in these numeric IDs across different auth collections can occur. This collision enables an authenticated user from one authentication collection to read and delete preference records belonging to users in other authentication collections, effectively bypassing authorization boundaries. The vulnerability is an Insecure Direct Object Reference (IDOR) because the system relies on numeric IDs that are user-controllable and not sufficiently segregated across collections. Exploitation requires the attacker to be authenticated but does not require additional user interaction, and the attack vector is network-based. The vulnerability impacts confidentiality by exposing user preferences across collections and integrity by allowing deletion of those preferences. Availability is not impacted. The vulnerability has been addressed and patched in Payload CMS version 3.74.0 by presumably improving authorization checks and/or segregating ID spaces across auth collections. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 score is 5.4, reflecting medium severity due to the requirement for authentication and limited impact scope.

For European organizations using Payload CMS in multi-auth collection configurations with Postgres or SQLite databases, this vulnerability poses a risk of unauthorized access and deletion of user preference data across authentication boundaries. This could lead to privacy breaches, loss of user-specific configurations, and potential disruption of user experience or administrative processes relying on these preferences. While the vulnerability does not affect system availability, the confidentiality and integrity impacts could undermine trust in affected services, especially in sectors handling sensitive or regulated data such as finance, healthcare, and public administration. Organizations with complex multi-tenant or multi-auth setups are particularly at risk. The breach of user preferences might also facilitate further targeted attacks or social engineering if attackers gain insight into user settings or behaviors. Compliance with GDPR and other data protection regulations could be jeopardized if unauthorized data access occurs, potentially resulting in legal and reputational consequences.

European organizations should immediately upgrade Payload CMS installations to version 3.74.0 or later to remediate this vulnerability. For environments where immediate patching is not feasible, administrators should review and restrict access controls on the payload-preferences collection, ensuring strict segregation between authentication collections. Implementing additional application-layer authorization checks to verify ownership of preference records before read or delete operations can reduce risk. Database administrators should consider customizing ID generation strategies to avoid numeric ID collisions across auth collections, such as using UUIDs or composite keys incorporating collection identifiers. Monitoring and logging access to the preferences collection can help detect suspicious activity indicative of exploitation attempts. Organizations should also conduct audits of user preference data integrity and access patterns post-patch to identify any unauthorized access or deletions. Finally, educating developers and administrators about the risks of IDOR vulnerabilities and secure multi-auth collection design is recommended to prevent similar issues.