CVE-2026-39397

Name of the Vulnerable Software and Affected Versions @delmaredigital/payload-puck versions prior to 0.6.23

Description The @delmaredigital/payload-puck plugin for PayloadCMS, a visual page builder integration, had a critical issue where access control was bypassed. Specifically, all CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with overrideAccess: true, ignoring collection-level access controls. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were also ignored on these endpoints.

Recommendations Update to version 0.6.23 or later.