Highlights
This release patches a high-severity vulnerability by overriding the js-cookie dependency to v3.0.7 (CVE-2026-46625), along with additional audit fixes. Upgrading any projects on older versions of Payload is recommended.
Also in this release:
- Drafts & publishing: reordering documents no longer unpublishes ones that have a newer draft, and re-uploading a draft file no longer unpublishes its document
- Bulk updates: fixed array and block row IDs being regenerated during bulk updates
- Database: MongoDB nested relationship queries now exclude duplicate IDs, and Drizzle unique-constraint validation errors preserve the failing sub-tables
- Rich text: markdown import now preserves hard line breaks
- UI: row fields respect
admin.condition, relationship cells show titles correctly for draft-only documents, and polymorphic upload relations are preserved during bulk select - Tooling: the
payload bin works with tsx on Node v23.5+, and type generation no longer hangs on storage-r2 - Localization: corrected the Burmese locale (removed stray Malay strings)
- Cloud storage: separated client and server utility exports
As always, you can review the complete changelog on GitHub.