CVE-2026-35409
published 2026-04-06CVE-2026-35409: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has…
PriorityP349high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.34%
25.4th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 11.16.0 | 11.16.0 |
| directus | directus | >= 0 < 11.16.0 | 11.16.0 |
| monospace | directus | < 11.16.0 | 11.16.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
osv·2026-04-04
CVE-2026-35409 [HIGH] Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
### Summary
A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.
### Details
Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP clie
GHSA
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
ghsa·2026-04-04
CVE-2026-35409 [HIGH] CWE-20 Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
### Summary
A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.
### Details
Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP clie
No detection rules found.
No public exploits indexed.
2026-04-06
Published