CVE-2026-39943Sensitive Information Exposure in Directus

CWE-200Sensitive Information ExposureCWE-312Cleartext Storage of Sensitive Info37 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 92.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Directus
Timeline
PublishedApr 9

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision r

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5directus/directus< 11.17.0
npmdirectus/directus< 11.17.0

🔴Vulnerability Details

3
VulDB
Directus up to 11.16.x information disclosure (GHSA-mvv8-v4jj-g47j)2026-04-09
GHSA
Directus: Sensitive fields exposed in revision history2026-04-04
OSV
Directus: Sensitive fields exposed in revision history2026-04-04

🕵️Threat Intelligence

33
Wiz
CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz