What's the vulnerability?

When querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL Injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking.

Users are affected if ALL of these are true:

  1. Payload version < v3.73.0
  2. Using a Drizzle-based database adapter (@payloadcms/drizzle as dependency):
    • @payloadcms/db-postgres
    • @payloadcms/db-vercel-postgres
    • @payloadcms/db-sqlite
    • @payloadcms/db-d1-sqlite
  3. At least one accessible collection that has a type: 'json' or type: 'richText' field where access.read returns anything other than false (true or Where constraint)

Users are NOT affected if:

  • Using @payloadcms/db-mongodb
  • No JSON or richText fields exist in any collection
  • All JSON/richText fields have access: { read: () => false }

Root Cause Analysis
One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00092
or pruva-verify GHSA-xx6w-jxg9-2wh8
or pruva-verify CVE-2026-25544
Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00092/artifacts/repro/reproduction_steps.sh
2

Make executable

chmod +x reproduction_steps.sh
3

Run the script

./reproduction_steps.sh
Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...