CVE-2026-39397

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

Improper Access Control

@delmaredigital/payload-puck is vulnerable to Improper Access Control. The vulnerability is due to the use of Payload's local API with overrideAccess: true in /api/puck/ CRUD endpoints, which allows an attacker to bypass collection-level access controls and perform unauthorized actions...

EUVD-2026-19921

@delmaredigital/payload-puc is missing authorization on /api/puck/ CRUD endpoints allows unauthenticated access to Puck-registered collections...

GHSA-65W6-PF7X-5G85 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Impact All /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin and any access rules defined on Puck-registered collections wer...

Missing Authorization

Overview @delmaredigital/payload-puck is a Puck visual page builder plugin for Payload CMS Affected versions of this package are vulnerable to Missing Authorization via the createPuckPlugin function. An attacker can gain unauthorized access to sensitive data and perform unauthorized modifications...

PT-2026-31018

Name of the Vulnerable Software and Affected Versions @delmaredigital/payload-puck versions prior to 0.6.23 Description The @delmaredigital/payload-puck plugin for PayloadCMS, a visual page builder integration, had a critical issue where access control was bypassed. Specifically, all CRUD endpoin...