Access Control Bypass in PayloadCMS Plugin by Delmare Digital
CVE-2026-39397

9.4CRITICAL

Key Information:

Vendor

Delmaredigital

Status
Payload-puck
Vendor
CVE Published:
7 April 2026

What is CVE-2026-39397?

The PayloadCMS plugin for integrating the Puck visual page builder contains a vulnerability where endpoints registered prior to version 0.6.23 bypass critical collection-level access controls. This results from the default settings of the overrideAccess option, which allows unauthorized access to sensitive data through all CRUD handlers under /api/puck/*. This flaw can expose protected resources and potentially enable attackers to exploit the API without proper authentication or adherence to defined access rules, making it crucial for users to update to the fixed version to maintain their web application's integrity.

Affected Version(s)

payload-puck < 0.6.23

References

https://github.com/delmaredigital/payload-puck/security/a...
x_refsource_CONFIRM
https://github.com/delmaredigital/payload-puck/issues/7
x_refsource_MISC
https://github.com/delmaredigital/payload-puck/commit/914...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.