Login Sign Up

CVE-2026-27567

6.5 MEDIUM
SSRF

📋 TL;DR

Payload CMS versions before 3.75.0 contain a Server-Side Request Forgery (SSRF) vulnerability in external file upload functionality. Authenticated users with upload permissions can exploit insufficient HTTP redirect validation to access internal network resources. Only instances with upload-enabled collections and users having create access are vulnerable.

💻 Affected Systems

Products:
  • Payload CMS
Versions: All versions prior to 3.75.0
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Requires: 1) At least one collection with upload enabled, 2) User with create access to that collection

📦 What is this software?

Payload by Payloadcms

View all CVEs affecting Payload →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker accesses sensitive internal services, retrieves confidential data, or performs lateral movement within the network.

🟠

Likely Case

Unauthorized access to internal HTTP services, potentially exposing internal APIs, databases, or management interfaces.

🟢

If Mitigated

Limited to authenticated users with specific permissions; impact minimized by network segmentation and access controls.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with upload permissions; SSRF via HTTP redirect manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.75.0

Vendor Advisory: https://github.com/payloadcms/payload/security/advisories/GHSA-hhfx-5x8j-f5f6

Restart Required: Yes

Instructions:

1. Update Payload CMS to version 3.75.0 or later. 2. Restart the application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable external file uploads

all

Set disableExternalFile option on upload-enabled collections

In collection config: upload: { disableExternalFile: true }

Restrict upload permissions

all

Limit create access on upload-enabled collections to trusted users only

🧯 If You Can't Patch

  • Implement network segmentation to isolate Payload CMS from internal services
  • Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check Payload CMS version; if <3.75.0 and has upload-enabled collections with user create access, it's vulnerable

Check Version:

Check package.json or run: npm list payload

Verify Fix Applied:

Confirm version is 3.75.0 or later; test external file upload functionality with malicious redirect URLs

📡 Detection & Monitoring

Log Indicators:

  • Unusual external URL upload attempts
  • HTTP requests to internal IP addresses from Payload
  • Multiple redirect responses from upload endpoints

Network Indicators:

  • Outbound HTTP requests from Payload to internal network ranges
  • Unusual traffic patterns from Payload to non-public services

SIEM Query:

source="payload" AND (url_contains="upload" OR url_contains="external") AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

📊 Metadata

CVE ID: CVE-2026-27567
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918
Published: February 24, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27567, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)