User Session Fixation after Account Removal in PayloadCMS_CVE-2025-4644

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.

Basic Information

ID CVE-2025-4644

Source CERT-PL

Published Aug 29, 2025 at 10:01

Affected Product

Vendor Payload CMS

Product Payload

Affected Versions Payload CMS Payload 0

CWE Classification

CWE-384

References

{
    "lastseen": "",
    "description": "A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.\n\nThis issue has been fixed in version 3.44.0 of Payload.",
    "published": "2025-08-29T10:01:13.697Z",
    "modified": "2025-08-29T10:01:13.697Z",
    "type": "cve",
    "title": "User Session Fixation after Account Removal in PayloadCMS",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2025/08/CVE-2025-4643\nhttps://payloadcms.com\nhttps://github.com/payloadcms/payload",
    "id": "CVE-2025-4644",
    "bulletinFamily": "",
    "cwe": [
        "CWE-384"
    ],
    "cvelist": null,
    "sourceData": "Payload CMS Payload 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Payload",
    "version": "0",
    "vendor": "Payload CMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}