CVE-2026-35409 — Server-Side Request Forgery in Directus

CWE-918 — Server-Side Request Forgery CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.7HIGHNVD

EPSS

0.0%

top 91.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Directus

Timeline

Latest updateApr 4

PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

▶CVEListV5directus/directus< 11.16.0

▶npmdirectus/directus< 11.16.0

🔴Vulnerability Details

OSV

Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import↗2026-04-04

▶

GHSA

Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import↗2026-04-04

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35409 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶