CVE-2026-34751: CVE-2026-34751: Unvalidated Input in Password Recovery Endpoints in Payload CMS

CVE-2026-34751: Unvalidated Input in Password Recovery Endpoints in Payload CMS Vulnerability ID: CVE-2026-34751 CVSS Score: 9.1 Published: 2026-04-01 Payload CMS prior to version 3.79.1 contains a critical vulnerability in its password recovery endpoints. This flaw allows an unauthenticated attacker to manipulate password reset links via Host header injection and exploit partial token matches in database adapters, leading to unauthorized account takeover. TL;DR A critical flaw in Payload CMS (< 3.79.1) permits unauthenticated attackers to achieve account takeover through Host header injection in password reset emails and database query partial-match misconfigurations. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-640 Attack Vector : Network CVSS Score : 9.1 (Critical) Exploit Status : Proof of Concept (PoC) CISA KEV : Not Listed Affected Component : Password Recovery Endpoints Affected Systems Payload CMS payload package @payloadcms/graphql package payload : < 3.79.1 (Fixed in