CVE-2025-4644: Payload's SQLite adapter Session Fixation vulnerability

August 29, 2025

A Session Fixation vulnerability existed in Payload’s SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.

This issue has been fixed in version 3.44.0 of Payload.

References

cert.pl/en/posts/2025/08/CVE-2025-4643
github.com/advisories/GHSA-26rv-h2hf-3fw4
github.com/payloadcms/payload
github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809
nvd.nist.gov/vuln/detail/CVE-2025-4644

Code Behaviors & Features

Detect and mitigate CVE-2025-4644 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →