CVE-2026-34750
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints
Description
### Impact The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. Consumers are affected if ALL of these are true: - Payload version **< v3.78.0** - Using client-upload signed-URL endpoints for any supported storage adapter ## Patches This vulnerability has been patched in **v3.78.0**. Filename validation has been hardened for client uploads. Consumers should upgrade to **v3.78.0** or later. ## Workarounds Consumers can upgrade: - Limit access to client-upload signed-URL endpoints to trusted users only.
How to fix CVE-2026-34750
To remediate CVE-2026-34750, upgrade the affected package to a fixed version below.
- —upgrade to 3.78.0 or later
- —upgrade to 3.78.0 or later
- —upgrade to 3.78.0 or later
- —upgrade to 3.78.0 or later
Is CVE-2026-34750 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 3.78.0
- from 0, < 3.78.0
- from 0, < 3.78.0
- from 0, < 3.78.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |