Insecure Direct Object Reference in Payload CMS
CVE-2026-25574

5.4MEDIUM

Key Information:

Vendor: Payloadcms
Status: Payload
Vendor: CVE Published:; 6 February 2026

What is CVE-2026-25574?

The Insecure Direct Object Reference (IDOR) vulnerability in Payload CMS allows authenticated users within a multi-auth collection to access and manipulate preferences of users from different auth collections due to inadequate access controls. This issue arises when using databases like Postgres or SQLite with default serial or auto-increment IDs, leading to potential exposure of sensitive user data and actions such as deletion of preferences. The vulnerability affects versions prior to 3.74.0 and has been rectified in the latest release, highlighting the importance of maintaining updated software to mitigate such risks.

Affected Version(s)

payload < 3.74.0

References

https://github.com/payloadcms/payload/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 6, 2026
Vulnerability Reserved
Feb 3, 2026

CVE-2026-25574 Data

JSON

Payloadcms

What is CVE-2026-25574?

Affected Version(s)

References

CVSS V3.1

Timeline