CVE-2026-25574 MEDIUM

CVE-2026-25574: Payload Affected by Cross-Collection IDOR in payload-preferences Access Control (Multi-Auth Environments)

Vendor Payloadcms
Product payload
Weakness CWE-639 · IDOR
Published February 6, 2026
Last update February 9, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 9, 2026 Record updated

Related vulnerabilities

04Related CVE