CVE-2026-39397

CVE-2026-39397 is a critical-severity missing authorization vulnerability in @delmaredigital/payload-puck (npm), affecting versions < 0.6.23. It is fixed in 0.6.23.

Summary

Workarounds

If you cannot upgrade immediately, place a reverse-proxy or middleware authentication check in front of /api/puck/* to require an authenticated session before requests reach the plugin's handlers.

Impact

All /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints.

An unauthenticated remote attacker could:

  • List all documents (including drafts) in any Puck-registered collection
  • Read any document by ID (including drafts)
  • Create new documents with arbitrary field values
  • Update any document (including bypassing field-level access rules)
  • Delete any document
  • Read version history and restore arbitrary versions

In typical installations, the affected scope is the collection backing the website's pages (default slug: pages). For most users this means an attacker could read, modify, create, or delete every page on the website, including unpublished drafts and version history.

Scope is limited to collections explicitly registered with createPuckPlugin(), the endpoints validate the collection slug against an allowlist, so attackers cannot pivot to other Payload collections such as users, media, or business data not exposed to the plugin. The auto-created puck-templates, puck-ai-prompts, and puck-ai-context collections are also outside the allowlist; they have their own dedicated endpoints with separate authentication.

Other endpoints in the plugin (AI, styles, prompts, context, and the Next.js API route factories in src/api/) were unaffected, they had their own authentication checks.

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-39397 has a CVSS score of 9.4 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.6.23); upgrading removes the vulnerable code path.

Affected versions

@delmaredigital/payload-puck (< 0.6.23)

Security releases

@delmaredigital/payload-puck → 0.6.23 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fixed in 0.6.23. All endpoint handlers in src/endpoints/index.ts now pass overrideAccess: false and forward req to Payload's local API, so collection-level access rules are evaluated against the current user.

Frequently Asked Questions

  1. What is CVE-2026-39397? CVE-2026-39397 is a critical-severity missing authorization vulnerability in @delmaredigital/payload-puck (npm), affecting versions < 0.6.23. It is fixed in 0.6.23. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-39397? CVE-2026-39397 has a CVSS score of 9.4 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @delmaredigital/payload-puck are affected by CVE-2026-39397? @delmaredigital/payload-puck (npm) versions < 0.6.23 is affected.
  4. Is there a fix for CVE-2026-39397? Yes. CVE-2026-39397 is fixed in 0.6.23. Upgrade to this version or later.
  5. Is CVE-2026-39397 exploitable, and should I be worried? Whether CVE-2026-39397 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-39397 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-39397? Upgrade @delmaredigital/payload-puck to 0.6.23 or later.

Other vulnerabilities in @delmaredigital/payload-puck

Stop the waste.
Protect your environment with Kodem.