Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

New in Payload: A Security Patch and Stability Fixes

New in Payload: Release v3.85.2
New in Payload: Release v3.85.2

Payload 3.85.2 patches a high-severity security vulnerability and ships a round of fixes across drafts, bulk updates, database queries, and the admin UI.

Highlights

This release patches a high-severity vulnerability by overriding the js-cookie dependency to v3.0.7 (CVE-2026-46625), along with additional audit fixes. Upgrading any projects on older versions of Payload is recommended.

Also in this release:

  • Drafts & publishing: reordering documents no longer unpublishes ones that have a newer draft, and re-uploading a draft file no longer unpublishes its document
  • Bulk updates: fixed array and block row IDs being regenerated during bulk updates
  • Database: MongoDB nested relationship queries now exclude duplicate IDs, and Drizzle unique-constraint validation errors preserve the failing sub-tables
  • Rich text: markdown import now preserves hard line breaks
  • UI: row fields respect admin.condition, relationship cells show titles correctly for draft-only documents, and polymorphic upload relations are preserved during bulk select
  • Tooling: the payload bin works with tsx on Node v23.5+, and type generation no longer hangs on storage-r2
  • Localization: corrected the Burmese locale (removed stray Malay strings)
  • Cloud storage: separated client and server utility exports

As always, you can review the complete changelog on GitHub.