Critical severity9.4NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026
CVE-2026-39397
CVE-2026-39397
Description
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@delmaredigital/payload-pucknpm | < 0.6.23 | 0.6.23 |
Affected products
2- cpe:2.3:a:delmaredigital:payload-puck:*:*:*:*:*:node.js:*:*Range: <0.6.23
Patches
Vulnerability mechanics
References
5- github.com/delmaredigital/payload-puck/commit/9148201c6bbfa140d44546438027a2f8a70f79a4nvdPatchWEB
- github.com/delmaredigital/payload-puck/security/advisories/GHSA-65w6-pf7x-5g85nvdPatchVendor AdvisoryWEB
- github.com/delmaredigital/payload-puck/issues/7nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-65w6-pf7x-5g85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39397ghsaADVISORY
News mentions
0No linked articles in our index yet.