CVE-2026-34751
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
Description
### Impact A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. Users are affected if: - They are using Payload version **< v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality. ### Patches Input validation and URL construction in the password recovery flow have been hardened. Users should upgrade to **v3.79.1** or later. ### Workarounds There are no complete workarounds. Upgrading to **v3.79.1** is recommended.
How to fix CVE-2026-34751
To remediate CVE-2026-34751, upgrade the affected package to a fixed version below.
- —upgrade to 3.79.1 or later
- —upgrade to 3.79.1 or later
Is CVE-2026-34751 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.79.1
- from 0, < 3.79.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |