cbcvebase.

Directus vulnerabilities

59 known vulnerabilities affecting directus/directus.

Total CVEs
59
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH11MEDIUM45LOW1

Vulnerabilities

Page 1 of 3
CVE-2026-35412P3HIGHCVSS 8.1fixed in 11.16.12026-04-06
CVE-2026-35412 [HIGH] CWE-863 CVE-2026-35412: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the use
ghsanvdosv
CVE-2026-39942P3HIGHCVSS 8.8fixed in 11.17.02026-04-09
CVE-2026-39942 [HIGH] CWE-284 CVE-2026-39942: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, t Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by
ghsanvdosv
CVE-2026-35442P3HIGHCVSS 8.1fixed in 11.17.02026-04-06
CVE-2026-35442 [HIGH] CWE-200 CVE-2026-35442: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can ex
ghsanvdosv
CVE-2026-35408P3CRITICALCVSS 9.3fixed in 11.17.02026-04-06
CVE-2026-35408 [CRITICAL] CWE-346 CVE-2026-35408: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the wind
ghsanvdosv
CVE-2025-55746P3HIGHCVSS 7.5v>= 10.8.0, < 11.9.32025-08-20
CVE-2025-55746 [HIGH] CWE-73 CVE-2025-55746: Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to befo Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with
ghsanvdosv
CVE-2026-35409P3HIGHCVSS 7.7fixed in 11.16.02026-04-06
CVE-2026-35409 [HIGH] CWE-918 CVE-2026-35409: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This
ghsanvdosv
CVE-2024-54151P3HIGHCVSS 7.5v>= 11.0.0, < 11.3.02024-12-09
CVE-2024-54151 [HIGH] CWE-200 CVE-2024-54151: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any D
ghsanvdosv
CVE-2024-27295P3HIGHCVSS 8.2fixed in 10.8.32024-03-01
CVE-2024-27295 [HIGH] CWE-706 CVE-2024-27295: Directus is a real-time API and App dashboard for managing SQL database content. The password reset Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact th
ghsanvdosv
CVE-2024-39701P3HIGHCVSS 7.7v>= 9.23.0, < 10.6.02024-07-08
CVE-2024-39701 [HIGH] CWE-284 CVE-2024-39701: Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the ru
ghsanvdosv
CVE-2023-26492P3HIGHCVSS 7.5fixed in 9.23.02023-03-03
CVE-2023-26492 [HIGH] CWE-918 CVE-2023-26492: Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnera Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perfor
ghsanvdosv
CVE-2025-30353P3HIGHCVSS 7.5v>= 9.12.0, < 11.5.02025-03-26
CVE-2025-30353 [HIGH] CWE-200 CVE-2025-30353: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes envir
ghsanvdosv
CVE-2026-39943P3MEDIUMCVSS 6.5fixed in 11.17.02026-04-09
CVE-2026-39943 [MEDIUM] CWE-200 CVE-2026-39943: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authe
ghsanvdosv
CVE-2024-36128P3HIGHCVSS 7.5fixed in 10.11.22024-06-03
CVE-2024-36128 [HIGH] CWE-754 CVE-2024-36128: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, p Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be
ghsanvdosv
CVE-2022-26969P3CRITICAL≥ 0, < 9.7.02022-04-05
CVE-2022-26969 [CRITICAL] CWE-942 Insecure default value for CORS configuration Insecure default value for CORS configuration ### Impact The default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed. ### Patches The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under
ghsaosv
CVE-2024-45596P3MEDIUMCVSS 6.5fixed in 10.13.3v>= 11.0.0, < 11.1.02024-09-10
CVE-2024-45596 [MEDIUM] CWE-524 CVE-2024-45596: Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, w
ghsanvdosv
CVE-2025-64748P3MEDIUMCVSS 6.5fixed in 11.13.02025-11-13
CVE-2025-64748 [MEDIUM] CWE-201 CVE-2025-64748: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration att
ghsanvdosv
CVE-2025-53889P3MEDIUMCVSS 6.5v>= 9.12.0, < 11.9.02025-07-15
CVE-2025-53889 [MEDIUM] CWE-287 CVE-2025-53889: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to
ghsanvdosv
CVE-2026-35441P3MEDIUMCVSS 6.5fixed in 11.17.02026-04-06
CVE-2026-35441 [MEDIUM] CWE-400 CVE-2026-35441: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, fo
ghsanvdosv
CVE-2023-38503P3MEDIUMCVSS 6.5v>= 10.3.0, < 10.5.02023-07-25
CVE-2023-38503 [MEDIUM] CWE-200 CVE-2023-38503: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be re
ghsanvdosv
CVE-2024-39895P3MEDIUMCVSS 6.5fixed in 10.12.02024-07-08
CVE-2024-39895 [MEDIUM] CWE-400 CVE-2024-39895: Directus is a real-time API and App dashboard for managing SQL database content. A denial of service Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant
nvd
Directus vulnerabilities | cvebase