Improper access control in Directus - CVE-2022-26969

 

Improper access control in Directus - CVE-2022-26969

Published: April 4, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU127088
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-26969
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Directus
Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access.

The vulnerability exists due to improper access control in the CORS configuration when handling cross-origin requests with permissive default settings. A remote attacker can induce a victim to access the application from an unauthorized origin to gain unauthorized access.

The issue occurs in uncontrolled environments when the default CORS configuration has not been changed, and user interaction is required.


How to mitigate CVE-2022-26969

Install security update from vendor's website.

Sources