Main Vulnerability Database Vulnerabilities #VU127104

Information disclosure in Directus - CVE-2024-39896

Published: July 8, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127104

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-39896

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the login form and authentication API when handling login attempts for email addresses associated with SSO providers. A remote attacker can submit a login request with a targeted email address to disclose sensitive information.

The issue occurs when SSO providers are used in combination with local authentication.

How to mitigate CVE-2024-39896

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v

Information disclosure in Directus - CVE-2024-39896

Detailed vulnerability description

How to mitigate CVE-2024-39896

Sources

Please verify you're human