@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
References
| Link | Resource |
|---|---|
| https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4 | Patch |
| https://github.com/delmaredigital/payload-puck/issues/7 | Exploit Issue Tracking |
| https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85 | Patch Vendor Advisory |
Configurations
History
15 Apr 2026, 20:29
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:delmaredigital:payload-puck:*:*:*:*:*:node.js:*:* | |
| First Time |
Delmaredigital payload-puck
Delmaredigital |
|
| References | () https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4 - Patch | |
| References | () https://github.com/delmaredigital/payload-puck/issues/7 - Exploit, Issue Tracking | |
| References | () https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85 - Patch, Vendor Advisory |
07 Apr 2026, 21:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-07 21:17
Updated : 2026-04-15 20:29
NVD link : CVE-2026-39397
Mitre link : CVE-2026-39397
CVE.ORG link : CVE-2026-39397
JSON object : View
Products Affected
delmaredigital
- payload-puck
CWE
CWE-862
Missing Authorization