GHSA-7xxh-373w-35vg (CVE-2026-34747)

Details

Impact

Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.

Patches

This issue has been fixed in v3.79.1 and later. Query input validation has been hardened.

Upgrade to v3.79.1 or later.

Workarounds

Until developers can upgrade:

Limit access to endpoints that accept dynamic query inputs to trusted users only.
Validate or sanitize input from untrusted clients before sending it to query endpoints.

Affected Packages

payload

npm

Fixed in:

3.79.1

References

ADVISORY

https://github.com/advisories/GHSA-7xxh-373w-35vg

PACKAGE

https://github.com/payloadcms/payload

WEB

https://github.com/payloadcms/payload/releases/tag/v3.79.1

WEB

https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-34747