CVE-2026-39397 Overview
CVE-2026-39397 is a critical authorization bypass vulnerability in the @delmaredigital/payload-puck plugin, a PayloadCMS integration for the Puck visual page builder. Prior to version 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true setting, completely bypassing all collection-level access control mechanisms. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints, allowing unauthorized users to perform read, create, update, and delete operations on protected content.
Critical Impact
This vulnerability enables unauthenticated attackers to bypass all access control mechanisms and perform unauthorized CRUD operations on content managed through the Puck visual page builder, potentially leading to data theft, content manipulation, or complete site takeover.
Affected Products
- @delmaredigital/payload-puck versions prior to 0.6.23
- PayloadCMS applications using the vulnerable Puck plugin
- Websites utilizing Puck visual page builder with PayloadCMS
Discovery Timeline
- 2026-04-07 - CVE-2026-39397 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39397
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), which represents a fundamental security flaw where the application fails to perform proper authorization checks before allowing access to protected resources or functionality.
The core issue resides in the createPuckPlugin() function's endpoint handlers. When registering API routes under the /api/puck/* path, the plugin invoked Payload's local API with overrideAccess: true hardcoded in the implementation. This boolean flag explicitly tells PayloadCMS to skip all access control checks, effectively creating wide-open endpoints that accept any request regardless of authentication status or user permissions.
What makes this vulnerability particularly insidious is that it silently ignored security configurations. Administrators who properly configured access rules on their Puck-registered collections, or passed access restrictions to createPuckPlugin(), would have believed their content was protected when in fact these security measures had no effect on the vulnerable endpoints.
Root Cause
The root cause is the improper use of Payload's overrideAccess parameter in the plugin's API route handlers. The overrideAccess: true setting was applied as a default across all CRUD operations in the createPuckApiRoutesVersions.ts and related files, bypassing the access control layer entirely. The plugin architecture failed to propagate access control configurations from both the plugin initialization options and the underlying collection definitions to the actual API endpoint handlers.
Attack Vector
An attacker can exploit this vulnerability over the network without authentication. The attack involves sending direct HTTP requests to the exposed /api/puck/* endpoints to perform unauthorized operations:
- Reconnaissance: Identify PayloadCMS applications using the Puck plugin by probing for /api/puck/ endpoints
- Data Exfiltration: Send GET requests to retrieve sensitive page content and version history
- Content Manipulation: Send POST/PUT requests to modify existing pages or create malicious content
- Data Destruction: Send DELETE requests to remove critical page content
The following patch excerpt shows the fix applied to enforce proper access control:
PuckApiVersionsRouteHandlers,
RouteHandlerWithIdContext,
} from './types.js'
-import {resolveLocaleFromNextRequest} from "../utils/locale";
+import { resolveLocaleFromNextRequest } from '../utils/locale.js'
/**
* Create API route handlers for /api/puck/pages/[id]/versions
Source: GitHub Commit
The complete security fix ensures that the overrideAccess parameter is properly set to false or respects the access configurations provided by administrators, restoring the intended access control behavior.
Detection Methods for CVE-2026-39397
Indicators of Compromise
- Unexpected HTTP requests to /api/puck/* endpoints from unauthenticated sources
- Unusual patterns of CRUD operations on Puck-managed collections without corresponding admin activity
- Access logs showing successful responses to /api/puck/ endpoints from external IP addresses
- Content modifications or deletions that cannot be attributed to authorized users
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on unusual traffic patterns to /api/puck/* endpoints
- Review application logs for API calls to Puck endpoints that lack proper authentication headers
- Audit content version histories in PayloadCMS for unauthorized modifications
- Deploy anomaly detection to identify bulk data access or modification patterns indicative of exploitation
Monitoring Recommendations
- Enable verbose logging for all /api/puck/* endpoint access with client IP, authentication status, and request details
- Set up real-time alerting for any unauthenticated requests to Puck API endpoints
- Monitor for sudden spikes in API traffic to content management endpoints
- Implement integrity monitoring for critical page content managed through Puck
How to Mitigate CVE-2026-39397
Immediate Actions Required
- Upgrade @delmaredigital/payload-puck to version 0.6.23 or later immediately
- Audit logs for any suspicious access to /api/puck/* endpoints prior to patching
- Review and verify the integrity of all content managed through the Puck plugin
- Temporarily restrict network access to /api/puck/* endpoints if immediate patching is not possible
Patch Information
The vulnerability has been fixed in version 0.6.23 of the @delmaredigital/payload-puck package. The patch ensures that collection-level access control is properly enforced on all Puck API endpoints and that the access configuration options are no longer silently ignored. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-65w6-pf7x-5g85 and the patch commit.
Workarounds
- Implement reverse proxy or WAF rules to restrict access to /api/puck/* endpoints to authenticated users only
- Add network-level restrictions limiting Puck API endpoint access to trusted IP ranges
- Deploy authentication middleware at the application gateway level to protect vulnerable routes
- Consider temporarily disabling the Puck plugin in production environments until the upgrade can be applied
# Configuration example
# Update package to patched version
npm update @delmaredigital/payload-puck@^0.6.23
# Or explicitly install the fixed version
npm install @delmaredigital/payload-puck@0.6.23
# Verify installed version
npm list @delmaredigital/payload-puck
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
