CVE-2026-25574 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Payload CMS, a free and open-source headless content management system. The vulnerability exists in versions prior to 3.74.0 within the payload-preferences internal collection, specifically in environments configured with multiple authentication collections using Postgres or SQLite databases with default serial or auto-increment numeric IDs. Due to ID collisions across different authentication collections, an authenticated user from one collection can access and delete preference records belonging to users in other collections. This is an instance of an Insecure Direct Object Reference (IDOR) where the system fails to properly enforce authorization checks across collections. The vulnerability does not require user interaction but does require the attacker to be authenticated. Exploitation can lead to unauthorized reading and deletion of user preference data, impacting confidentiality and integrity but not availability. The issue has been addressed and patched in Payload CMS version 3.74.0. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 5.4, indicating a medium severity level with network attack vector, low attack complexity, requiring privileges but no user interaction, and limited impact on confidentiality and integrity.

For European organizations using Payload CMS in multi-authentication collection configurations with Postgres or SQLite databases, this vulnerability could allow an authenticated user to access and delete preference data of other users across authentication boundaries. This could lead to unauthorized disclosure of sensitive user settings or preferences and potential disruption of user experience or application behavior due to deleted preferences. While the impact on availability is negligible, the breach of confidentiality and integrity could undermine trust in the system and potentially expose sensitive configuration or personalization data. Organizations in sectors with strict data protection regulations, such as GDPR, could face compliance risks if unauthorized access to user data occurs. The vulnerability's exploitation requires authentication, limiting exposure to internal or compromised users, but insider threats or compromised accounts could leverage this flaw. Since Payload CMS is used in content management, the integrity of user preferences may affect content delivery or administrative functions, potentially impacting business operations or user satisfaction.

The primary mitigation is to upgrade Payload CMS to version 3.74.0 or later, where this vulnerability has been patched. Organizations should audit their Payload CMS deployments to identify multi-auth collection configurations using Postgres or SQLite with default auto-increment IDs. As an interim measure before patching, restrict access to authenticated users and enforce strict access controls and monitoring on user preference data. Implement logging and alerting for unusual access or deletion patterns in the payload-preferences collection. Review and harden authentication and authorization mechanisms to prevent privilege escalation or unauthorized access across collections. Consider database-level access controls or row-level security policies to isolate data between authentication collections. Conduct regular security assessments and penetration testing focused on authorization controls within the CMS environment. Finally, educate administrators and developers about the risks of IDOR vulnerabilities and the importance of proper authorization validation.