Main Vulnerability Database Vulnerabilities #VU127123

Observable discrepancy in Directus - CVE-2026-26185

Published: April 23, 2026

Vulnerability identifier: #VU127123

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-26185

CWE-ID: CWE-203

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information about the existence of user accounts.

The vulnerability exists due to an observable discrepancy in the password reset endpoint when handling password reset requests with an invalid reset_url parameter. A remote attacker can send crafted password reset requests and measure response times to disclose sensitive information about the existence of user accounts.

The response time differs by approximately 500ms between existing and non-existing users.

How to mitigate CVE-2026-26185

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf

Observable discrepancy in Directus - CVE-2026-26185

Detailed vulnerability description

How to mitigate CVE-2026-26185

Sources

Please verify you're human