Server-Side Request Forgery (SSRF) in Directus - CVE-2023-26492
Published: March 3, 2023 / Updated: April 23, 2026
Vulnerability identifier: #VU127089
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-26492
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Directus
Directus
Software vendor:
Directus
Directus
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery in the /files/import endpoint when importing a file from a remote web server. A remote user can send a specially crafted file import request using dns rebinding to disclose sensitive information.
The issue can also be used to perform local port scanning, and exploitation may expose internal metadata services such as the AWS instance metadata API.
Remediation
Install security update from vendor's website.