Dag-Rui

**Name of the Vulnerable Software and Affected Versions** @delmaredigital/payload-puck versions prior to 0.6.23 **Description** The @delmaredigital/payload-puck plugin for PayloadCMS, a visual page builder integration, had a critical issue where access control was bypassed. Specifically, all CRUD endpoint handlers registered by `createPuckPlugin()` called Payload's local API with `overrideAccess: true`, ignoring collection-level access controls. The `access` option passed to `createPuckPlugin()` and any access rules defined on Puck-registered collections were also ignored on these endpoints. **Recommendations** Update to version 0.6.23 or later.