CVE-2026-35442Sensitive Information Exposure in Directus

CWE-200Sensitive Information ExposureCWE-863Incorrect Authorization696 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 88.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
Latest updateApr 4
PublishedApr 6

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5directus/directus< 11.17.0
npmdirectus/directus< 11.17.0

🔴Vulnerability Details

2
GHSA
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries2026-04-04
OSV
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries2026-04-04

🕵️Threat Intelligence

693
Wiz
GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz