CVE-2026-39942Improper Access Control in Directus

CWE-284Improper Access ControlCWE-639Authorization Bypass Through User-Controlled KeyCWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes37 documents5 sources
Severity
8.5HIGHNVD
EPSS
0.0%
top 90.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
PublishedApr 9

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:NExploitability: 3.1 | Impact: 4.7

Affected Packages2 packages

CVEListV5directus/directus< 11.17.0
npmdirectus/directus< 11.17.0

🔴Vulnerability Details

3
VulDB
Directus up to 11.16.x /files/ filename_disk access control (GHSA-393c-p46r-7c95)2026-04-09
OSV
Directus: Path Traversal and Broken Access Control in File Management API2026-04-04
GHSA
Directus: Path Traversal and Broken Access Control in File Management API2026-04-04

🕵️Threat Intelligence

33
Wiz
CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz