Server-Side Request Forgery Vulnerability in Payload CMS
CVE-2026-27567

6.5MEDIUM

Key Information:

Vendor

Payloadcms

Status
Payload
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27567?

Prior to version 3.75.0, Payload CMS had a Server-Side Request Forgery vulnerability in its external file upload functionality. This vulnerability arises from insufficient validation of HTTP redirects, allowing an authenticated attacker to exploit the upload feature and access internal network resources. Specifically, the payload environment must have at least one collection with upload enabled, alongside a user possessing create access to that collection for the vulnerability to be exploitable. If these conditions are met, an authenticated user with upload permissions could retrieve data from internal services through the application, creating significant risks. The issue has been addressed in version 3.75.0, with a recommended mitigation to disable external file uploads or restrict access to upload-enabled collections.

Affected Version(s)

payload < 3.75.0

References

https://github.com/payloadcms/payload/security/advisories...
x_refsource_CONFIRM
https://github.com/payloadcms/payload/commit/1041bb6
x_refsource_MISC
https://github.com/payloadcms/payload/releases/tag/v3.75.0
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.