Directus Api vulnerabilities

CVE-2026-26185 [MEDIUM] CWE-203 Directus Vulnerable to User Enumeration via Password Reset Timing Attack Directus Vulnerable to User Enumeration via Password Reset Timing Attack ### Summary A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. ### Details The password reset endpoint i

CVE-2026-22032 [MEDIUM] CWE-601 Directus has open redirect in SAML Directus has open redirect in SAML ## Security Advisory: Open Redirect in Directus SAML Authentication ### Summary An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains. ### Vulnerability Description During SAML authentication, the `RelayState` parameter is intended to pre

CVE-2025-64748 [MEDIUM] CWE-201 Directus's conceal fields are searchable if read permissions enabled Directus's conceal fields are searchable if read permissions enabled ## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. ## Details The system permits search operations o

CVE-2025-64749 [MEDIUM] CWE-203 Directus Vulnerable to Information Leakage in Existing Collections Directus Vulnerable to Information Leakage in Existing Collections ### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two dif

CVE-2025-55746 [CRITICAL] CWE-73 Directus allows unauthenticated file upload and file modification due to lacking input sanitization Directus allows unauthenticated file upload and file modification due to lacking input sanitization ## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary

CVE-2024-47822 [MEDIUM] CWE-532 Directus inserts access token from query string into logs Directus inserts access token from query string into logs ### Summary Access token from query string is not redacted and is potentially exposed in system logs which may be persisted. ### Details The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative contro

CVE-2025-30351 [LOW] CWE-672 Suspended Directus user can continue to use session token to access API Suspended Directus user can continue to use session token to access API ### Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status. ### Details There is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. Ri

CVE-2025-27089 [MEDIUM] CWE-863 Directus allows updates to non-allowed fields due to overlapping policies Directus allows updates to non-allowed fields due to overlapping policies ### Summary If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update ac

CVE-2024-54151 [HIGH] CWE-200 Directus allows unauthenticated access to WebSocket events and operations Directus allows unauthenticated access to WebSocket events and operations ### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. ### Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public per

CVE-2024-46990 [MEDIUM] CWE-284 Directus vulnerable to SSRF Loopback IP filter bypass Directus vulnerable to SSRF Loopback IP filter bypass ### Impact If you're relying on blocking access to localhost using the default `0.0.0.0` filter this can be bypassed using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`) ### Workaround You can block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`

CVE-2024-45596 [HIGH] CWE-384 Session is cached for OpenID and OAuth2 if `redirect` is not used Session is cached for OpenID and OAuth2 if `redirect` is not used ### Summary Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include `redirect` query string. For example: - Project is configured with OpenID or OAuth2 - Project is configured with cache enabled - User tries to login via SSO link, but without `redirect` q

CVE-2024-39699 [MEDIUM] CWE-918 Directus Blind SSRF On File Import Directus Blind SSRF On File Import ### Summary There was already a reported SSRF vulnerability via file import. [https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h](https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h) It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and exe