CVE-2026-34750: Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

April 1, 2026

The client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location.

Consumers are affected if ALL of these are true:

Payload version < v3.78.0
Using client-upload signed-URL endpoints for any supported storage adapter

References

github.com/advisories/GHSA-frq9-7j6g-v74x
github.com/payloadcms/payload
github.com/payloadcms/payload/security/advisories/GHSA-frq9-7j6g-v74x
nvd.nist.gov/vuln/detail/CVE-2026-34750

Code Behaviors & Features

Detect and mitigate CVE-2026-34750 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →