CVE-2026-26185
published 2026-02-12CVE-2026-26185: Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.35%
26.8th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | api | >= 0 < 32.2.0 | 32.2.0 |
| directus | directus | < 11.14.1 | 11.14.1 |
| directus | directus | >= 0 < 11.14.1 | 11.14.1 |
| directus | directus_api | < 32.2.0 | 32.2.0 |
| monospace | directus | < 11.15.0 | 11.15.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
ghsa·2026-02-12
CVE-2026-26185 [MEDIUM] CWE-203 Directus Vulnerable to User Enumeration via Password Reset Timing Attack
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
### Summary
A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
### Details
The password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences.
### Impact
This vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence
OSV
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
osv·2026-02-12
CVE-2026-26185 [MEDIUM] Directus Vulnerable to User Enumeration via Password Reset Timing Attack
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
### Summary
A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
### Details
The password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences.
### Impact
This vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence
No detection rules found.
No public exploits indexed.
2026-02-12
Published