CVE-2026-35441Uncontrolled Resource Consumption in Directus

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling696 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 89.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
Latest updateApr 4
PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number o

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5directus/directus< 11.17.0
npmdirectus/directus< 11.17.0

🔴Vulnerability Details

2
GHSA
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits2026-04-04
OSV
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits2026-04-04

🕵️Threat Intelligence

693
Wiz
GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz