GHSA-JQ29-R496-R955

Vulnerability from github – Published: 2026-02-05 21:02 – Updated: 2026-02-07 00:31
VLAI?
Summary
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
Details

Impact

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

  • Multiple auth collections configured (e.g., admins + customers)
  • Postgres or SQLite database adapter with serial/auto-increment IDs
  • Users in different auth collections with the same numeric ID

Not affected:

  • @payloadcms/db-mongodb adapter
  • Single auth collection environments
  • Postgres/SQLite with idType: 'uuid'

Patches

This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.

Workarounds

There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "payload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.74.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T21:02:20Z",
    "nvd_published_at": "2026-02-06T22:16:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the `payload-preferences` internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.\n\n**Users are affected if ALL of these are true:**\n\n- Multiple auth collections configured (e.g., `admins` + `customers`)\n- Postgres or SQLite database adapter with serial/auto-increment IDs\n- Users in different auth collections with the same numeric ID\n\n**Not affected:**\n\n- `@payloadcms/db-mongodb` adapter\n- Single auth collection environments\n- Postgres/SQLite with `idType: \u0027uuid\u0027`\n\n### Patches\n\nThis vulnerability has been patched in **v3.74.0**. Users should upgrade to v3.74.0 or later.\n\n### Workarounds\n\nThere is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.",
  "id": "GHSA-jq29-r496-r955",
  "modified": "2026-02-07T00:31:54Z",
  "published": "2026-02-05T21:02:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25574"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/payloadcms/payload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.