54 matches found
CVE-2023-38503
Directus (real-time API/dashboard for SQL data) has an authentication/authorization flaw in GraphQL subscriptions. From version 10.3.0 up to, but not including, 10.5.0, permission filters like user_created IS $CURRENT_USER are not properly enforced for subscription events, allowing unauthorized u...
CVE-2023-26492
Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import), exploitable via DNS rebinding to bypass IP deny lists and access sensitive internal data. Affected versions include Directus prior to 9.23.0 (e.g.,
CVE-2024-27295
Directus vulnerability CVE-2024-27295: the password reset flow can be abused due to accent-insensitive and case-insensitive comparisons in MySQL/MariaDB, enabling an attacker to request a reset for a victim’s account by using a near-identical email address (with accented characters). The issue af...
CVE-2024-54151
Directus vulnerability CVE-2024-54151 affects Directus real-time API/admin dashboard. From version 11.0.0 up to, but not including, 11.3.0, configuring WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public" allows unauthenticated users to perform any supported operations (CRUD, subscriptions...
CVE-2025-55746
Directus vulnerability (CVE-2025-55746) affects Directus real-time API/dashboard. From 10.8.0 to before 11.9.3, an issue in the file update mechanism lets an unauthenticated actor modify existing files with arbitrary content and/or upload new files (with arbitrary extensions) without updating dat...
CVE-2024-27296
CVE-2024-27296 affects Directus: prior to 10.8.3, the exact Directus version is shipped in compiled JS bundles accessible without authentication, enabling attackers to map to known vulnerabilities in Directus core or dependencies. The issue has been fixed in 10.8.3 and later. Remediation is upgra...
CVE-2025-30353
Directus vulnerability (CVE-2025-30353): In Directus, flows using the Webhook trigger with the Data of Last Operation response can disclose sensitive data when a ValidationError occurs. Affected versions are 9.12.0 up to, but not including, 11.5.0. The exposure includes environment variables, API...
CVE-2024-28239
CVE-2024-28239 affects Directus. The authentication API’s redirect parameter can be exploited to perform an open redirect during login (e.g., redirect to http://malicious-fishing-site.com after OAuth2 login). This can enable phishing by steering users to a forged error page while using a legitima...
CVE-2024-47822
CVE-2024-47822 – Directus : The issue arises from access tokens in query strings not being redacted when LOG_STYLE is set to raw, allowing potential exposure of long‑lived tokens in system logs. This could enable an attacker with log access to gain administrative control or perform unauthorized d...
CVE-2023-28443
CVE-2023-28443 affects Directus before version 9.23.3, where the token directus_refresh_token is not redacted in logs, enabling potential user impersonation. The root cause is improper token redaction in log output, leading to sensitive data exposure via logging. The vulnerability requires access...
CVE-2024-28238
CVE-2024-28238 concerns Directus, where a session token (JWT) is sent via GET on the /files page. This exposes tokens to logs (web servers, browser history), enabling potential session hijacking and unauthorized actions if an attacker accesses those logs. Public sources in the connected documents...
CVE-2024-54128
Directus (Comment feature) is vulnerable to HTML injection because a client-side filter for restricted characters can be bypassed. The CVE notes that this bypass enables injection of HTML content, with documented impact and a fix in versions 10.13.4 and 11.2.0. Affected components: Directus core ...
CVE-2025-24353
Directus prior to version 11.2.0 is vulnerable to privilege escalation via the share feature. A user can specify an arbitrary role when sharing an item, enabling access to fields that should be restricted for their role. Affected instances are those using the share feature with a role hierarchy a...
CVE-2025-53886
Directus vulnerability CVE-2025-53886 affects Directus with Flows using the WebHook trigger prior to version 11.9.0. The issue logs all incoming request details, including sensitive data such as access and refresh tokens stored in cookies, enabling a user with log access (malicious admins) to hij...
CVE-2022-26969
CVE-2022-26969 affects Directus prior to version 9.7.0, where the default settings for CORS_ORIGIN and CORS_ENABLED are true. The Red Hat and NVD entries confirm this issue, with a high-severity CVSS v3.1 base score (9.8, CRITICAL) and a network-based vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)....
CVE-2025-30350
Directus and its storage-driver-s3 component are affected by a DoS-like asset unavailability vulnerability triggered by a burst of HEAD requests. Affected range: @directus/storage-driver-s3 versions prior to 12.0.1 (corresponding to Directus 9.22.0–11.5.0). When many HEAD checks occur, assets can...
CVE-2024-39895
Directus (graph-based API) is affected by a DoS via GraphQL field duplication. An attacker can craft a query to duplicate fields (e.g., GraphQL /graphql calls in dashboards), causing excessive resource usage and service unavailability. The vulnerability is fixed in Directus 10.12.0. Remediation: ...
CVE-2024-39896
Directus (real-time API/admin for SQL content) has a user-enumeration flaw when relying on SSO providers together with local login. If an email exists and belongs to a known SSO provider, Directus may emit a “helpful” error indicating the user belongs to another provider, enabling enumeration of ...
CVE-2025-30351
CVE-2025-30351 affects Directus: real-time API and app dashboard for SQL DB content. From version 10.10.0 up to, but not including, 11.5.0, a suspended user can keep using a token from session auth to access the API because verifySessionJWT does not check that the user is still active. This enabl...
CVE-2024-39699
Directus has a Blind SSRF via redirects in file import. The vulnerability arises because redirects are allowed during URL-based imports and the response URL isn’t validated, enabling requests to internal IPs (e.g., 127.0.0.1) despite earlier fixes that only validated DNS/internal IPs. The issue i...
CVE-2024-36128
Directus (Real-time API/dashboard for SQL databases) is affected by CVE-2024-36128 prior to version 10.11.2. Providing a non-numeric length to the random string generation utility triggers a memory issue that disrupts random session IDs, causing a denial of service where logged-in sessions can no...
CVE-2025-30352
CVE-2025-30352 affects Directus real-time API/dashboard. Versions 9.0.0-alpha.4 through 11.5.0 are vulnerable due to the search query parameter not checking view permissions when constructing WHERE clauses, allowing enumeration of contents in fields the user should not see. The underlying issue i...
CVE-2025-30225
The CVE affects Directus users via the @directus/storage-driver-s3 driver: versions 9.22.0 up to 11.5.0 (paired Directus 9.22.0 to 11.5.0) are vulnerable to asset unavailability after a burst of malformed transformation requests, causing all assets to return 403 under load. The issue is fixed in ...
CVE-2024-39701
Directus (versions 9.23.0 through 10.5.3) improperly handles the _in and _nin operators by evaluating empty arrays as valid, causing Broken Access Control where a rule like {"role": {"_in": $CURRENT_USER.some_field}} may pass unexpectedly. The issue is fixed in Directus 10.6.0. Affected deploymen...
CVE-2024-45596
Summary: Directus real-time API/dashboard contains a vulnerability where an unauthenticated user can obtain the credentials of the last authenticated user via OpenID or OAuth2 when the redirect parameter is missing. Root cause: the respond middleware caches certain GET requests, and the condition...
CVE-2025-27089
Directus has a vulnerability (CVE-2025-27089) where overlapping update policies can cause a user to update fields not permitted for a specific item. Root cause: the system previously validated access at the item level; the fix evaluates permissions per field in the validateItemAccess query and re...
CVE-2024-46990
Summary: CVE-2024-46990 affects Directus where blocking localhost via the default 0.0.0.0 filter can be bypassed using other loopback addresses (e.g., 127.0.0.2–127.127.127.127). Vulnerability details (supported by connected docs): Directus real-time API and app dashboard fails to restrict access...
CVE-2024-34708
Directus 10.x is affected by a Sensitive Information Disclosure vulnerability where a user with permission to view any collection can bypass redaction via the alias API parameter (alias[workaround]=redacted), exposing plaintext values of hashed fields. The root cause is improper handling of the a...
CVE-2024-34709
Directus before version 10.11.0 does not invalidate session tokens on logout. The directus_session cookie is destroyed, but if the cookie value is captured, it remains valid for the token’s full expiry (1 day by default), effectively making it a long-lived, unrevokable stateless token. The issue ...
CVE-2024-6534
CVE-2024-6534 affects Directus v10.13.0. An authenticated external attacker can modify presets created by the same user to assign them to another user due to insufficient validation of the user parameter in PATCH /presets (only POST /presets is validated). This vulnerability, when chained with CV...
CVE-2022-36031
Directus CVE-2022-36031 affects the Directus data platform. The issue arises when an authorized (non-admin) user with permission to update the filename_disk field on directus_files changes the value to a folder and then accesses that file via the /assets endpoint, causing the Directus process to ...
CVE-2024-6533
Directus 10.13.0 is affected by a DOM-based XSS flaw where an authenticated attacker can inject and store an attacker-controlled value that is rendered into an unsanitized DOM element on the client. The issue stems from how a parameter is stored on the server and later used by the client, enablin...
CVE-2023-27481
CVE-2023-27481—Directus password-hash exposure risk : Directus prior to 9.16.0 allowed users with read access to the password field in directus_users to enumerate argon2 password hashes by abusing the export function with a _starts_with filter. The root cause is a permissive filtering path on has...
CVE-2023-45820
Directus is vulnerable to a DoS via invalid WebSocket frames. When websockets are enabled, receiving an invalid frame can crash the Directus server, leading to high availability impact. The issue affects Directus installations with websockets enabled and has been addressed in version 10.6.2; upgr...
CVE-2020-19850
CVE-2020-19850 affects Directus API v2.2.0. It allows a remote attacker to cause a denial of service by sending a large number of HTTP requests. CVSS v3.1 base score 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The vulnerability concerns Directus API’s handling of request volume and could impact av...
CVE-2025-53889
Summary: CVE-2025-53889 affects Directus up to 11.9.0 where manual trigger Flows do not validate whether the triggering user has read permissions for payload items, potentially allowing unauthorized actions. The issue is fixed in 11.9.0; a workaround is to add permission checks for read access to...
CVE-2025-53885
Directus Flows logs can disclose sensitive user data via the Log to Console operation. Affected: Directus real-time API/dashboard prior to 11.9.0 (versions 9.0.0–11.8.x). Root cause: logging unfettered input during user create/update events, enabling a malicious admin to view other users’ data. I...
CVE-2025-53887
Summary: Directus prior to 11.9.0 exposes the exact running version via the OpenAPI spec at /server/specs/oas, enabling targeted lookups for known vulnerabilities in Directus core and dependencies. This information disclosure is fixed in 11.9.0. What’s affected: Directus real-time API and app das...
CVE-2026-39943
CVE-2026-39943 (Directus) affects Directus prior to v11.17.0. The revision-snapshot path writes revisions to directus_revisions without consistently applying the prepareDelta sanitization, potentially storing sensitive fields (tokens, 2FA secrets, external auth identifiers, auth data, credentials...
CVE-2026-35413
Directus CVE-2026-35413 exposes schema structure via the server_specs_graphql resolver on /graphql/system when GRAPHQL_INTROSPECTION is false. Multiple trusted sources (Directus advisories, Red Hat, OSV, Snyk, etc.) confirm that before version 11.16.1, SDL-style schema data could be retrieved by ...
CVE-2026-35411
Directus prior to 11.16.1 is vulnerable to an open redirect on the /admin/tfa-setup page via the redirect parameter. An administrator who has not configured 2FA can be presented with the legitimate 2FA setup page, and after completing setup the app redirects to an attacker‑controlled URL without ...
CVE-2026-26185
Directus before v11.14.1 is affected by a timing-based user enumeration vulnerability in the password reset flow. When an invalid reset_url is supplied, responses differ by about 500ms between existing and non-existing users, enabling enumeration of valid usernames. The issue is fixed in v11.14.1...
CVE-2026-35409
Directus SSRF protection bypass (CVE-2026-35409) arises from inadequate normalization of IPv4-mapped IPv6 addresses in the deny-list, allowing requests to internal/private targets to bypass the IP filter in file import workflows. Affected product: Directus real-time API/dashboard; vulnerability f...
CVE-2026-35441
Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...
CVE-2026-22032
Directus before v11.14.0 has an open redirect in the SAML authentication callback endpoint. The RelayState used to preserve the original destination is not validated for the callback, enabling an attacker to redirect users to an arbitrary external URL after login completion. The issue affects bot...
CVE-2026-35410
CVE-2026-35410 – Directus open redirect : The vulnerability lies in Directus’ login redirection logic, where the isLoginRedirectAllowed function can misclassify malformed URLs as internal, bypassing the redirect allow-list and sending authenticated users to arbitrary external domains. Affected so...
CVE-2026-39942
CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...
CVE-2025-64746
Directus before 11.13.0 improperly cleans up field-level permissions when a field is deleted. A stale permission reference remains in the permissions table; if a new field with the same name is created, it inherits those outdated permissions, potentially granting access to data users should not r...
CVE-2026-35442
CVE-2026-35442 affects Directus prior to 11.17.0, where aggregate functions (min/max) on fields with the concealed type can return raw database values instead of masked placeholders. When used with groupBy, any authenticated user with read access to the affected collection can extract concealed v...
CVE-2025-64748
CVE-2025-64748 affects Directus (real-time API and app dashboard for SQL databases). Prior to 11.13.0, authenticated users with read permissions can search concealed/sensitive fields; while actual values are masked, matching records reveal existence of those values, enabling data enumeration. Aff...