Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the passwor…

A vulnerability in the password recovery flow of Payload CMS, a free and open source headless content management system, could allow unauthenticated attackers to perform actions on behalf of users who initiate password resets. The vulnerability affects versions prior to 3.79.1 in both @payloadcms/graphql and payload packages. The issue has been patched in version 3.79.1. This represents a significant security risk as it allows privilege escalation without authentication during the password reset process.