CVE-2026-25574
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
Description
### Impact A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the `payload-preferences` internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. **Users are affected if ALL of these are true:** - Multiple auth collections configured (e.g., `admins` + `customers`) - Postgres or SQLite database adapter with serial/auto-increment IDs - Users in different auth collections with the same numeric ID **Not affected:** - `@payloadcms/db-mongodb` adapter - Single auth collection environments - Postgres/SQLite with `idType: 'uuid'` ### Patches This vulnerability has been patched in **v3.74.0**. Users should upgrade to v3.74.0 or later. ### Workarounds There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.
How to fix CVE-2026-25574
To remediate CVE-2026-25574, upgrade the affected package to a fixed version below.
- —upgrade to 3.74.0 or later
Is CVE-2026-25574 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.74.0
CVSS scores
| Source | Version | Severity |
|---|