Improper Verification of Cryptographic Signature Affecting @jhb.software/payload-cloudinary-plugin package, versions >=0.3.0 <0.4.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-JHBSOFTWAREPAYLOADCLOUDINARYPLUGIN-17817897
  • published5 Jul 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

NewCVE-2026-58200  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade @jhb.software/payload-cloudinary-plugin to version 0.4.0 or higher.

Overview

@jhb.software/payload-cloudinary-plugin is a Payload CMS storage adapter for Cloudinary

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the cloudinary-generate-signature endpoint, which forwards attacker-controlled parameters to the signature generation process without proper validation or filtering. An attacker can obtain valid cryptographic signatures for arbitrary Cloudinary API parameters by sending crafted requests as any authenticated user, enabling unauthorized asset replacement, access-control bypass, server-side request forgery, and manipulation of asset storage paths. This is only exploitable if the deployment is configured with clientUploads: true.

CVSS Base Scores

version 4.0
version 3.1