Main Vulnerability Database Vulnerabilities #VU127132

Authorization bypass through user-controlled key in Directus - CVE-2026-39942

Published: April 23, 2026

Vulnerability identifier: #VU127132

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39942

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote user to overwrite files belonging to other users.

The vulnerability exists due to authorization bypass through a user-controlled key in the PATCH /files/{id} endpoint when handling a user-controlled filename_disk parameter. A remote user can set filename_disk to the storage path of another user's file to overwrite files belonging to other users.

If the storage backend is shared with the extensions location, exploitation can lead to arbitrary code execution when malicious extensions are loaded.

How to mitigate CVE-2026-39942

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95

Authorization bypass through user-controlled key in Directus - CVE-2026-39942

Detailed vulnerability description

How to mitigate CVE-2026-39942

Sources

Please verify you're human