Main Vulnerability Database Vulnerabilities #VU127129

Open redirect in Directus - CVE-2026-35410

Published: April 23, 2026

Vulnerability identifier: #VU127129

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-35410

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect users to an arbitrary external domain.

The vulnerability exists due to url redirection to an untrusted site in the isLoginRedirectAllowed function when processing login redirection URLs. A remote attacker can supply a specially crafted login URL to redirect users to an arbitrary external domain.

User interaction is required, and the issue is particularly impactful in OAuth2 and SAML authentication flows after successful authentication.

How to mitigate CVE-2026-35410

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj

Open redirect in Directus - CVE-2026-35410

Detailed vulnerability description

How to mitigate CVE-2026-35410

Sources

Please verify you're human