Executive Summary
CVE-2026-39397 is a critical access control bypass vulnerability (CVSS 9.4) affecting the @delmaredigital/payload-puck npm package — a PayloadCMS plugin for integrating the Puck visual page builder. All versions prior to 0.6.23 register API endpoint handlers with overrideAccess: true in Payload's local API, which completely bypasses PayloadCMS's collection-level access control. The result: every /api/puck/* CRUD endpoint is fully accessible without authentication, exposing any data stored in the application's collections to unauthorized read, write, and delete operations.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-39397 |
| CVSS Score | 9.4 (Critical) |
| Type | Missing Authorization / Access Control Bypass |
| Package | @delmaredigital/payload-puck (npm) |
| Affected Versions | All versions < 0.6.23 |
| Fixed Version | 0.6.23 |
| Authentication | Not required |
| Attack Vector | Network |
| Impact | Unauthorized read, write, delete on all PayloadCMS collections |
Technical Analysis
Root Cause
The createPuckPlugin() function, which registers /api/puck/* CRUD endpoint handlers, calls Payload's local API with the parameter overrideAccess: true. This flag is a PayloadCMS mechanism intended for internal/trusted server-side use only — it instructs the framework to skip all access control checks for that operation.
By calling Payload's local API with overrideAccess: true on user-facing HTTP routes, every collection-level access control rule is silently bypassed for those endpoints. An unauthenticated HTTP request to any /api/puck/* route will receive a full response as if the request came from a privileged internal actor.
Attacker Request → /api/puck/<collection>/<id>
↓
createPuckPlugin() handler
↓
payload.find({ collection, overrideAccess: true }) ← bypasses ACL
↓
Full data returned without authentication check
Scope of Affected Operations
All standard CRUD operations registered by the plugin are affected:
| Operation | Endpoint Pattern | Impact |
|---|---|---|
| Read | GET /api/puck/* | Exfiltrate any collection data |
| Create | POST /api/puck/* | Inject arbitrary records |
| Update | PUT/PATCH /api/puck/* | Tamper with any stored content |
| Delete | DELETE /api/puck/* | Destroy any collection records |
This means an attacker with network access to the application can enumerate, extract, modify, and delete data across any collection exposed through the plugin — regardless of configured PayloadCMS access control policies.
Affected Environments
Any PayloadCMS application that:
- Has installed the
@delmaredigital/payload-pucknpm package - Is running a version prior to 0.6.23
- Has
createPuckPlugin()registered in its PayloadCMS configuration
is fully vulnerable. The attack requires no credentials, no API keys, and no prior knowledge of the application's schema — a simple HTTP request to a discoverable endpoint is sufficient.
Remediation
Immediate Fix
Upgrade to @delmaredigital/payload-puck version 0.6.23 or later.
npm install @delmaredigital/payload-puck@^0.6.23
# or
yarn add @delmaredigital/payload-puck@^0.6.23The patch removes the overrideAccess: true flag from the endpoint handlers, restoring PayloadCMS's standard collection-level access control enforcement for all /api/puck/* routes.
Post-Patch Steps
- Audit access logs — Review server access logs for unexpected requests to
/api/puck/*endpoints prior to patching; look for reads, writes, or deletes not attributable to legitimate users - Check for data tampering — Verify the integrity of data in PayloadCMS collections, particularly any content managed through the Puck visual editor
- Review exposed data — Assess what data was accessible through affected collections and evaluate notification obligations under applicable privacy regulations (GDPR, CCPA, etc.)
- Rotate secrets if applicable — If collections contain API keys, tokens, or other credentials, rotate them
Temporary Mitigation (Pre-Patch)
If immediate upgrade is not possible:
- Block
/api/puck/*routes at the web server/reverse proxy level for unauthenticated requests - Apply an authentication middleware upstream of these routes as a temporary control
- Restrict network access to the application to trusted sources only
Detection
To check if your application is vulnerable:
# Check installed version
npm list @delmaredigital/payload-puck
# Check for the overrideAccess pattern in installed code (pre-patch indicator)
grep -r "overrideAccess" node_modules/@delmaredigital/payload-puck/To detect potential exploitation in logs:
# Look for requests to /api/puck/ endpoints from unexpected IPs
# or during off-hours, without corresponding session tokens
grep "/api/puck/" access.log | grep -v "Authorization:"