CVE-2026-34749: CWE-352: Cross-Site Request Forgery (CSRF) in payloadcms payload
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
AI Analysis
Technical Summary
PayloadCMS, a headless content management system, had a CSRF vulnerability (CWE-352) in its authentication flow before version 3.79.1. The issue allowed attackers to bypass the configured CSRF protections under certain conditions, enabling cross-site requests that could potentially impact integrity and availability. This vulnerability was assigned CVE-2026-34749 and has been fixed in version 3.79.1.
Potential Impact
Successful exploitation could allow an attacker to perform unauthorized actions via cross-site requests, potentially leading to limited integrity and availability impacts. Confidentiality is not affected. No known active exploits have been reported.
Mitigation Recommendations
Upgrade PayloadCMS to version 3.79.1 or later, where this CSRF vulnerability has been patched. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-34749: CWE-352: Cross-Site Request Forgery (CSRF) in payloadcms payload
Description
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PayloadCMS, a headless content management system, had a CSRF vulnerability (CWE-352) in its authentication flow before version 3.79.1. The issue allowed attackers to bypass the configured CSRF protections under certain conditions, enabling cross-site requests that could potentially impact integrity and availability. This vulnerability was assigned CVE-2026-34749 and has been fixed in version 3.79.1.
Potential Impact
Successful exploitation could allow an attacker to perform unauthorized actions via cross-site requests, potentially leading to limited integrity and availability impacts. Confidentiality is not affected. No known active exploits have been reported.
Mitigation Recommendations
Upgrade PayloadCMS to version 3.79.1 or later, where this CSRF vulnerability has been patched. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T19:17:10.224Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cd7b33e6bfc5ba1df4981f
Added to database: 4/1/2026, 8:08:19 PM
Last enriched: 4/9/2026, 10:32:55 PM
Last updated: 5/15/2026, 1:24:44 AM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.