File Sanitation Flaw in Payload CMS Affecting Azure, GCS, R2, and S3 Storage
CVE-2026-34750

6.5MEDIUM

Key Information:

Vendor: Payloadcms
Status: Payload
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-34750?

The Payload CMS is susceptible to a file sanitation vulnerability in its client-upload signed-URL endpoints for storage solutions, including Azure, GCS, R2, and S3. Prior to version 3.78.0, the application failed to adequately sanitize filenames, enabling potential attackers to manipulate file paths and escape designated storage directories. This flaw could lead to unauthorized access or exposure of files, emphasizing the importance of upgrading to version 3.78.0 or later for enhanced security. Users are encouraged to review their storage settings and ensure they comply with best security practices.

Affected Version(s)

payload < 3.78.0

References

https://github.com/payloadcms/payload/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34750 Data

JSON

Payloadcms

What is CVE-2026-34750?

Affected Version(s)

References

CVSS V3.1

Timeline