Impact
A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.
You are affected if ALL of these are true:
- Multiple auth collections configured (e.g.,
admins + customers)
- Postgres or SQLite database adapter with serial/auto-increment IDs
- Users in different auth collections with the same numeric ID
Not affected:
@payloadcms/db-mongodb adapter- Single auth collection environments
- Postgres/SQLite with
idType: 'uuid'
Patches
This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.
Workarounds
There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.
Impact
A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the
payload-preferencesinternal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.You are affected if ALL of these are true:
admins+customers)Not affected:
@payloadcms/db-mongodbadapteridType: 'uuid'Patches
This vulnerability has been patched in v3.74.0. Users should upgrade to v3.74.0 or later.
Workarounds
There is no workaround other than upgrading. Users with multiple auth collections using Postgres or SQLite with serial IDs should upgrade immediately.