EXECUTIVE SUMMARY:
An authorization bypass vulnerability CVE-2026-25574 affects the payload-preferences internal collection of the Payload CMS project, potentially allowing authenticated users in a multi‑authentication environment to access or delete preference entries belonging to users in other authentication collections when numeric IDs collide in Postgres or SQLite databases. This insecure direct object reference (IDOR) flaw stems from weak access controls around user identifiers, enabling privilege escalation within the applications data access layer. Successful exploitation requires low complexity and only authenticated access but may result in unauthorized exposure and modification of other users preference data. Users are advised to upgrade to a patched release to mitigate this risk and safeguard sensitive account configurations. The vulnerability has a CVSS score of 5.4.
RECOMMENDATION
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jq29-r496-r955