cbcvebase.
CVE-2026-26185
published 2026-02-12

CVE-2026-26185: Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the…

PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.35%
26.8th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
directusapi>= 0 < 32.2.032.2.0
directusdirectus< 11.14.111.14.1
directusdirectus>= 0 < 11.14.111.14.1
directusdirectus_api< 32.2.032.2.0
monospacedirectus< 11.15.011.15.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.