CVE-2026-25574

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.74.0

Description Payload is a headless content management system. A cross-collection Insecure Direct Object Reference (IDOR) exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. The vulnerability affects users if multiple auth collections are configured, a Postgres or SQLite database adapter with serial/auto-increment IDs is used, and users in different auth collections have the same numeric ID. The issue does not affect users utilizing the @payloadcms/db-mongodb adapter, single auth collection environments, or Postgres/SQLite with idType: 'uuid'.

Recommendations Upgrade to version 3.74.0 or later.