CVE- 2026-25544 is a critical SQL injection vulnerability in Payload CMS, rated CVSS 9.8, that allows unauthenticated attackers to perform blind SQL injections and potentially take over administrative accounts. The flaw resides in how Payload handles queries for specific data types when using Drizzle-based database adapters (specifically PostgreSQL and SQLite), where user input was not properly sanitised when querying JSON or richText fields.
An attacker can exploit this by crafting a query against a public collection, enabling information disclosure bit by bit without needing a password or login token. The advisory explains that when querying JSON or rich text fields, user input was embedded directly into SQL without escaping, enabling blind SQL injection attacks, which can lead to full account takeover if a password reset token is compromised.
The vulnerability affects installations using Payload versions older than v3.73.0 and certain Drizzle-based adapters; a fix has been released in Payload v3.73.0, with a temporary workaround available that locks down vulnerable fields by adding access: { read: () => false } to all JSON and richText fields. According to GHSA-xx6w-jxg9-2wh8.