CVE-2026-39397 CRITICAL

CVE-2026-39397: @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Vendor Delmaredigital
Product payload-puck
Weakness CWE-862 · Missing authorization
Published April 7, 2026
Last update April 7, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 7, 2026 Record updated

Related vulnerabilities

04Related CVE