SB20260423138 - Multiple vulnerabilities in Directus
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Incorrect authorization (CVE-ID: CVE-2026-35442)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and compromise accounts.
The vulnerability exists due to incorrect authorization in aggregate query handling for concealed fields when processing aggregate queries with groupBy. A remote user can send a crafted aggregate query to disclose sensitive information and compromise accounts.
The issue affects fields with the conceal special type and can expose static API tokens and TOTP secrets from directus_users.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-35441)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the GraphQL endpoints when processing crafted GraphQL queries with repeated aliases. A remote user can send a specially crafted GraphQL request to cause a denial of service.
Any authenticated user, including one with minimal read-only permissions, can trigger the issue. The impact scales with the number of aliases, relational query depth, and concurrent requests.
3) Cleartext storage of sensitive information (CVE-ID: CVE-2026-39943)
CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to cleartext storage of sensitive information in revision history records in directus_revisions when creating or updating items or auto-suspending users after failed login attempts. A remote user can read revision records or flow logs to disclose sensitive information.
Exposed data may include tokens, two-factor authentication secrets, external authentication identifiers, stored credentials, authentication data, and AI provider API keys.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-39942)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to overwrite files belonging to other users.
The vulnerability exists due to authorization bypass through a user-controlled key in the PATCH /files/{id} endpoint when handling a user-controlled filename_disk parameter. A remote user can set filename_disk to the storage path of another user's file to overwrite files belonging to other users.
If the storage backend is shared with the extensions location, exploitation can lead to arbitrary code execution when malicious extensions are loaded.
5) Origin validation error (CVE-ID: CVE-2026-35408)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to obtain an OAuth access token for the victim's third-party identity provider account.
The vulnerability exists due to origin validation error in SSO login pages when a malicious cross-origin window opens the Directus login page. A remote attacker can intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client to obtain an OAuth access token for the victim's third-party identity provider account.
This may lead to unauthorized access to the victim's linked identity provider account and, in some cases, account takeover of the Directus instance.
Remediation
Install update from vendor's website.
References
- https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc
- https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj
- https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
- https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95
- https://github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99