CVE-2026-25574
MEDIUMPayload < 3.74.0 - Authenticated Insecure Direct Object Reference in Preferences Collection
Title source: llmDescription
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
9.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
npm/payload
0 - 3.74.0npm
payloadcms/payload
< 3.74.0
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026