Vulnerability Description
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Delmaredigital | Payload-Puck | < 0.6.23 |
Related Weaknesses (CWE)
References
- https://github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d445464380Patch
- https://github.com/delmaredigital/payload-puck/issues/7ExploitIssue Tracking
- https://github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7PatchVendor Advisory
FAQ
What is CVE-2026-39397?
CVE-2026-39397 is a vulnerability with a CVSS score of 9.4 (CRITICAL). @delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's ...
How severe is CVE-2026-39397?
CVE-2026-39397 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-39397?
Check the references section above for vendor advisories and patch information. Affected products include: Delmaredigital Payload-Puck.