2 matches found
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...
GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits
Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...