Listen to this Post
The vulnerability in Payload’s SQLite adapter stems from the improper handling of database identifiers and JWT tokens during user account lifecycle events. When a new user account is created, the SQLite database assigns it a unique sequential identifier. This ID is embedded within the JWT token issued to the user. If that user account is subsequently deleted, the database sequence is not advanced or managed to prevent immediate reuse. The JWT associated with the deleted account also remains valid as no token invalidation mechanism is in place. A malicious actor can exploit this by creating an account, preserving the issued JWT, and then deleting the account. The next user to register will likely be assigned the same recycled database identifier. The attacker can then use their saved JWT, which contains the same user ID, to impersonate the new legitimate user and gain unauthorized access to their account and privileges.
Platform: Payload CMS
Version: <3.44.0
Vulnerability: Session Fixation
Severity: Moderate
date: 2025-08-29
Prediction: Patch: 2025-08-29
What Undercode Say:
`sqlite3 payload.db “SELECT seq FROM sqlite_sequence WHERE name=’users’;”`
`DELETE FROM users WHERE id = 123;`
`INSERT INTO users (email, password) VALUES (‘[email protected]’, ‘hash’);`
How Exploit:
1. Attacker registers account.
2. Saves received JWT.
3. Deletes own account.
4. Waits for victim registration.
5. Reuses JWT for auth.
Protection from this CVE
Update to v3.44.0.
Implement token blacklisting.
Use UUIDs not sequential IDs.
Impact:
Account Takeover
Privilege Escalation
Unauthorized Access
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
