Main Vulnerability Database Vulnerabilities #VU127104

#VU127104 Information disclosure in Directus - CVE-2024-39896

Published: July 8, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127104

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-39896

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Directus

Software vendor:
Directus

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the login form and authentication API when handling login attempts for email addresses associated with SSO providers. A remote attacker can submit a login request with a targeted email address to disclose sensitive information.

The issue occurs when SSO providers are used in combination with local authentication.

Remediation

Install security update from vendor's website.

External links

https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v

#VU127104 Information disclosure in Directus - CVE-2024-39896

Description

Remediation

External links

Please verify you're human