Directus vulnerabilities

CVE-2026-39942 [HIGH] CWE-284 CVE-2026-39942: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, t Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by

CVE-2026-39943 [MEDIUM] CWE-200 CVE-2026-39943: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authe

CVE-2026-35412 [HIGH] CWE-863 CVE-2026-35412: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the use

CVE-2026-35442 [HIGH] CWE-200 CVE-2026-35442: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can ex

CVE-2026-35408 [HIGH] CWE-346 CVE-2026-35408: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window o

CVE-2026-35409 [HIGH] CWE-918 CVE-2026-35409: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This

CVE-2026-35410 [MEDIUM] CWE-184 CVE-2026-35410: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to

CVE-2026-35441 [MEDIUM] CWE-400 CVE-2026-35441: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, fo

CVE-2026-35413 [MEDIUM] CWE-200 CVE-2026-35413: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, w Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of

CVE-2026-35411 [MEDIUM] CWE-601 CVE-2026-35411: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Dire

CVE-2026-26185 [MEDIUM] CWE-203 CVE-2026-26185: Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a t Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user en

CVE-2026-22032 [MEDIUM] CWE-601 CVE-2026-22032: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11 Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flo

CVE-2025-64746 [MEDIUM] CWE-284 CVE-2025-64746: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11 Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field

CVE-2025-64749 [MEDIUM] CWE-203 CVE-2025-64749: Directus is a real-time API and App dashboard for managing SQL database content. An observable diffe Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they a

CVE-2025-64748 [MEDIUM] CWE-201 CVE-2025-64748: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration att

CVE-2025-64747 [MEDIUM] CWE-20 CVE-2025-64747: Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) r

CVE-2025-55746 [HIGH] CWE-73 CVE-2025-55746: Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to befo Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with

CVE-2025-53889 [MEDIUM] CWE-287 CVE-2025-53889: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to

CVE-2025-53886 [MEDIUM] CWE-200 CVE-2025-53886: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hi

CVE-2025-53887 [MEDIUM] CWE-200 CVE-2025-53887: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information