Origin validation error in Directus - CVE-2026-35408
Published: April 23, 2026
Vulnerability identifier: #VU127133
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-35408
CWE-ID: CWE-346
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Directus
Affected software:
Directus
Directus
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain an OAuth access token for the victim's third-party identity provider account.
The vulnerability exists due to origin validation error in SSO login pages when a malicious cross-origin window opens the Directus login page. A remote attacker can intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client to obtain an OAuth access token for the victim's third-party identity provider account.
This may lead to unauthorized access to the victim's linked identity provider account and, in some cases, account takeover of the Directus instance.
How to mitigate CVE-2026-35408
Install security update from vendor's website.