CVE-2026-25574: payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

February 5, 2026 (updated February 7, 2026)

A cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide.

Users are affected if ALL of these are true:

Multiple auth collections configured (e.g., admins + customers)
Postgres or SQLite database adapter with serial/auto-increment IDs
Users in different auth collections with the same numeric ID

Not affected:

@payloadcms/db-mongodb adapter
Single auth collection environments
Postgres/SQLite with idType: 'uuid'

References

Code Behaviors & Features

Detect and mitigate CVE-2026-25574 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →