Main Vulnerability Database Vulnerabilities #VU127088

Improper access control in Directus - CVE-2022-26969

Published: April 4, 2022 / Updated: April 23, 2026

Vulnerability identifier: #VU127088

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-26969

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Directus

Software vendor:
Directus

Description

The vulnerability allows a remote attacker to gain unauthorized access.

The vulnerability exists due to improper access control in the CORS configuration when handling cross-origin requests with permissive default settings. A remote attacker can induce a victim to access the application from an unauthorized origin to gain unauthorized access.

The issue occurs in uncontrolled environments when the default CORS configuration has not been changed, and user interaction is required.

Remediation

Install security update from vendor's website.

Improper access control in Directus - CVE-2022-26969

Description

Remediation

External links

Please verify you're human