Package Instance

Payload has Authenticated SSRF via Upload Functionality
### Impact

An authenticated Server-Side Request Forgery (SSRF) vulnerability existed in the upload functionality.

Authenticated users with `create` or `update` access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs.

Consumers are affected if ALL of these are true:

- Payload version **< v3.79.1**
- At least one collection with `upload` enabled
- An authenticated user has `create` or `update` access to that collection

### Patches

This vulnerability has been patched in **v3.79.1**. Users should upgrade to **v3.79.1** or later.

### Workarounds

Until consumers can upgrade:

- Restrict `create` and `update` access to upload-enabled collections to trusted roles only.
- Limit outbound network access from your Payload server where possible.

Payload has a CSRF Protection Bypass in Authentication Flow
### Impact

A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.

Consumers are affected if ALL of these are true:

- Payload version **< v3.79.1**
- `serverURL` is configured

### Patches

This vulnerability has been patched in **v3.79.1**. Additional validation has been added to the authentication flow.

Consumers should upgrade to **v3.79.1** or later.

### Workarounds

There is no complete workaround without upgrading. 

If consumers cannot upgrade immediately, setting `cookies.sameSite` to `'Strict'` will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to the application from external links (e.g. email, other sites).

Payload has an SQL Injection via Query Handling
### Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

### Patches

This issue has been fixed in **v3.79.1** and later. Query input validation has been hardened.

Upgrade to **v3.79.1 or later**.

### Workarounds

Until developers can upgrade:

- Limit access to endpoints that accept dynamic query inputs to trusted users only.  
- Validate or sanitize input from untrusted clients before sending it to query endpoints.

Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery
### Impact

A vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset.

Users are affected if:

- They are using Payload version **< v3.79.1** with any auth-enabled collection using the built-in `forgot-password` functionality.

### Patches

Input validation and URL construction in the password recovery flow have been hardened.

Users should upgrade to **v3.79.1** or later.

### Workarounds

There are no complete workarounds. Upgrading to **v3.79.1** is recommended.