Main Vulnerability Database Vulnerabilities #VU127095

Information disclosure in Directus - CVE-2024-27296

Published: March 1, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127095

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-27296

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Directus

Software vendor:
Directus

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in compiled JS bundles when accessing them without authentication. A remote attacker can retrieve the exact Directus version number to disclose sensitive information.

The disclosed information is the exact running Directus version number.

Remediation

Install security update from vendor's website.

External links

https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j

Information disclosure in Directus - CVE-2024-27296

Description

Remediation

External links

Please verify you're human