CVE-2026-35408Origin Validation Error in Directus

CWE-346Origin Validation ErrorCWE-693Protection Mechanism Failure4 documents4 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 95.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
Latest updateApr 4
PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, cau

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.8

Affected Packages2 packages

CVEListV5directus/directus< 11.17.0
npmdirectus/directus< 11.17.0

🔴Vulnerability Details

2
GHSA
Directus: Missing Cross-Origin Opener Policy2026-04-04
OSV
Directus: Missing Cross-Origin Opener Policy2026-04-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-35408 Impact, Exploitability, and Mitigation Steps | Wiz