Improper Authorization in PayloadCMS by FluidAttacks
CVE-2026-11779

5.3MEDIUM

Key Information:

Vendor: Payloadcms
Status: Payloadcms
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-11779?

An improper authorization vulnerability has been identified in PayloadCMS version 3.84.1, stemming from inadequate access controls on the account unlock feature. This flaw may allow unauthorized users to manipulate account states without the proper permissions, posing significant security risks. Proper access controls are essential to prevent exploitation and ensure the integrity of user accounts.

Affected Version(s)

PayloadCMS Windows 3.84.1

References

https://fluidattacks.com/es/advisories/stitches

third-party-advisory

https://github.com/payloadcms/payload

product

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Oscar Naveda

CVE-2026-11779 Data

JSON

Payloadcms

What is CVE-2026-11779?

Affected Version(s)

References

CVSS V4

Timeline

Credit