CVE-2026-34751 is a vulnerability classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) and CWE-640 (Weak Password Recovery Mechanism) affecting Payload CMS, an open-source headless content management system. The issue resides in the password recovery flow of versions prior to 3.79.1 in the @payloadcms/graphql and payload packages. Specifically, an attacker can manipulate web parameters that the system incorrectly assumes to be immutable during the password reset process. This flaw enables an unauthenticated attacker to perform actions on behalf of a user who has initiated a password reset, potentially allowing unauthorized access or modification of user accounts. The vulnerability does not require any prior authentication or user interaction, making it highly exploitable remotely over the network. The flaw compromises both confidentiality and integrity of user accounts but does not affect availability. The vendor addressed this issue in version 3.79.1 by correcting the handling of these parameters to prevent external control and unauthorized actions during password recovery. Although no public exploits have been reported yet, the critical CVSS score of 9.1 reflects the severity and ease of exploitation.

The vulnerability poses a significant risk to organizations using vulnerable versions of Payload CMS, as attackers can hijack password recovery processes to gain unauthorized access to user accounts. This can lead to data breaches, unauthorized data modification, and potential lateral movement within affected environments. Since Payload CMS is used to manage content and potentially sensitive data, exploitation could compromise the confidentiality and integrity of website content and user information. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations relying on Payload CMS for web content management, especially those with sensitive or regulated data, face increased risk of reputational damage, compliance violations, and operational disruption if this vulnerability is exploited.

Organizations should immediately upgrade all instances of Payload CMS and the @payloadcms/graphql package to version 3.79.1 or later, where this vulnerability is patched. Until upgrades are applied, restrict access to the password recovery endpoints through network controls such as web application firewalls (WAFs) or IP whitelisting to limit exposure. Implement monitoring and alerting for unusual password reset activities or multiple reset attempts from the same IP address. Review and harden password recovery workflows to ensure parameters are properly validated and immutable where necessary. Conduct security testing on custom integrations with Payload CMS to verify no similar parameter manipulation vulnerabilities exist. Additionally, educate users about phishing risks related to password resets and encourage strong, unique passwords combined with multi-factor authentication (MFA) where possible to reduce impact of compromised accounts.