CVE-2026-35413 — Sensitive Information Exposure in Directus

CWE-200 — Sensitive Information Exposure696 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 85.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Directus

Timeline

Latest updateApr 4

PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5directus/directus< 11.16.1

▶npmdirectus/directus< 11.16.1

🔴Vulnerability Details

GHSA

Directus: GraphQL Schema SDL Disclosure Setting↗2026-04-04

▶

OSV

Directus: GraphQL Schema SDL Disclosure Setting↗2026-04-04

▶

🕵️Threat Intelligence

693

Wiz

GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶