SB20260423139 - Multiple vulnerabilities in Directus
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-35413)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the server_specs_graphql resolver on the /graphql/system endpoint when handling schema disclosure requests while GraphQL introspection is disabled. A remote attacker can send a request to retrieve an equivalent SDL representation of the schema to disclose sensitive information.
The issue bypasses the GRAPHQL_INTROSPECTION=false restriction and can expose collection names, field names, types, and relationships.
2) Incorrect authorization (CVE-ID: CVE-2026-35412)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite arbitrary existing files.
The vulnerability exists due to incorrect authorization in the TUS resumable upload endpoint (/files/tus) when handling file replacement requests by UUID. A remote user can send a crafted TUS upload request to overwrite arbitrary existing files.
Row-level permission rules on specific files are bypassed through the TUS upload path, and the targeted file's metadata may also be modified.
3) Open redirect (CVE-ID: CVE-2026-35411)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect a victim to an attacker-controlled site.
The vulnerability exists due to url redirection to an untrusted site in the /admin/tfa-setup page when processing the redirect query parameter during 2fa setup. A remote attacker can send a crafted link to redirect a victim to an attacker-controlled site.
User interaction is required, and exploitation occurs after an administrator who has not yet configured two-factor authentication completes the setup process.
4) Open redirect (CVE-ID: CVE-2026-35410)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to redirect users to an arbitrary external domain.
The vulnerability exists due to url redirection to an untrusted site in the isLoginRedirectAllowed function when processing login redirection URLs. A remote attacker can supply a specially crafted login URL to redirect users to an arbitrary external domain.
User interaction is required, and the issue is particularly impactful in OAuth2 and SAML authentication flows after successful authentication.
Remediation
Install update from vendor's website.
References
- https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx
- https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
- https://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x
- https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj