CVE-2026-34749
MEDIUM5.4EPSS 0.01%Payload has a CSRF Protection Bypass in Authentication Flow
Description
### Impact A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. Consumers are affected if ALL of these are true: - Payload version **< v3.79.1** - `serverURL` is configured ### Patches This vulnerability has been patched in **v3.79.1**. Additional validation has been added to the authentication flow. Consumers should upgrade to **v3.79.1** or later. ### Workarounds There is no complete workaround without upgrading. If consumers cannot upgrade immediately, setting `cookies.sameSite` to `'Strict'` will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).
Affected packages (1)
- npm/payloadfrom 0, < 3.79.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |