35 matches found
CVE-2023-26492
Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import), exploitable via DNS rebinding to bypass IP deny lists and access sensitive internal data. Affected versions include Directus prior to 9.23.0 (e.g.,
CVE-2024-27295
Directus vulnerability CVE-2024-27295: the password reset flow can be abused due to accent-insensitive and case-insensitive comparisons in MySQL/MariaDB, enabling an attacker to request a reset for a victim’s account by using a near-identical email address (with accented characters). The issue af...
CVE-2024-47822
CVE-2024-47822 – Directus : The issue arises from access tokens in query strings not being redacted when LOG_STYLE is set to raw, allowing potential exposure of long‑lived tokens in system logs. This could enable an attacker with log access to gain administrative control or perform unauthorized d...
CVE-2024-27296
CVE-2024-27296 affects Directus: prior to 10.8.3, the exact Directus version is shipped in compiled JS bundles accessible without authentication, enabling attackers to map to known vulnerabilities in Directus core or dependencies. The issue has been fixed in 10.8.3 and later. Remediation is upgra...
CVE-2023-28443
CVE-2023-28443 affects Directus before version 9.23.3, where the token directus_refresh_token is not redacted in logs, enabling potential user impersonation. The root cause is improper token redaction in log output, leading to sensitive data exposure via logging. The vulnerability requires access...
CVE-2024-28238
CVE-2024-28238 concerns Directus, where a session token (JWT) is sent via GET on the /files page. This exposes tokens to logs (web servers, browser history), enabling potential session hijacking and unauthorized actions if an attacker accesses those logs. Public sources in the connected documents...
CVE-2024-28239
CVE-2024-28239 affects Directus. The authentication API’s redirect parameter can be exploited to perform an open redirect during login (e.g., redirect to http://malicious-fishing-site.com after OAuth2 login). This can enable phishing by steering users to a forged error page while using a legitima...
CVE-2025-24353
Directus prior to version 11.2.0 is vulnerable to privilege escalation via the share feature. A user can specify an arbitrary role when sharing an item, enabling access to fields that should be restricted for their role. Affected instances are those using the share feature with a role hierarchy a...
CVE-2022-26969
CVE-2022-26969 affects Directus prior to version 9.7.0, where the default settings for CORS_ORIGIN and CORS_ENABLED are true. The Red Hat and NVD entries confirm this issue, with a high-severity CVSS v3.1 base score (9.8, CRITICAL) and a network-based vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)....
CVE-2024-39895
Directus (graph-based API) is affected by a DoS via GraphQL field duplication. An attacker can craft a query to duplicate fields (e.g., GraphQL /graphql calls in dashboards), causing excessive resource usage and service unavailability. The vulnerability is fixed in Directus 10.12.0. Remediation: ...
CVE-2024-39896
Directus (real-time API/admin for SQL content) has a user-enumeration flaw when relying on SSO providers together with local login. If an email exists and belongs to a known SSO provider, Directus may emit a “helpful” error indicating the user belongs to another provider, enabling enumeration of ...
CVE-2024-36128
Directus (Real-time API/dashboard for SQL databases) is affected by CVE-2024-36128 prior to version 10.11.2. Providing a non-numeric length to the random string generation utility triggers a memory issue that disrupts random session IDs, causing a denial of service where logged-in sessions can no...
CVE-2024-39699
Directus has a Blind SSRF via redirects in file import. The vulnerability arises because redirects are allowed during URL-based imports and the response URL isn’t validated, enabling requests to internal IPs (e.g., 127.0.0.1) despite earlier fixes that only validated DNS/internal IPs. The issue i...
CVE-2024-46990
Summary: CVE-2024-46990 affects Directus where blocking localhost via the default 0.0.0.0 filter can be bypassed using other loopback addresses (e.g., 127.0.0.2–127.127.127.127). Vulnerability details (supported by connected docs): Directus real-time API and app dashboard fails to restrict access...
CVE-2024-45596
Summary: Directus real-time API/dashboard contains a vulnerability where an unauthenticated user can obtain the credentials of the last authenticated user via OpenID or OAuth2 when the redirect parameter is missing. Root cause: the respond middleware caches certain GET requests, and the condition...
CVE-2024-34708
Directus 10.x is affected by a Sensitive Information Disclosure vulnerability where a user with permission to view any collection can bypass redaction via the alias API parameter (alias[workaround]=redacted), exposing plaintext values of hashed fields. The root cause is improper handling of the a...
CVE-2024-34709
Directus before version 10.11.0 does not invalidate session tokens on logout. The directus_session cookie is destroyed, but if the cookie value is captured, it remains valid for the token’s full expiry (1 day by default), effectively making it a long-lived, unrevokable stateless token. The issue ...
CVE-2022-36031
Directus CVE-2022-36031 affects the Directus data platform. The issue arises when an authorized (non-admin) user with permission to update the filename_disk field on directus_files changes the value to a folder and then accesses that file via the /assets endpoint, causing the Directus process to ...
CVE-2023-27481
CVE-2023-27481—Directus password-hash exposure risk : Directus prior to 9.16.0 allowed users with read access to the password field in directus_users to enumerate argon2 password hashes by abusing the export function with a _starts_with filter. The root cause is a permissive filtering path on has...
CVE-2026-39943
CVE-2026-39943 (Directus) affects Directus prior to v11.17.0. The revision-snapshot path writes revisions to directus_revisions without consistently applying the prepareDelta sanitization, potentially storing sensitive fields (tokens, 2FA secrets, external auth identifiers, auth data, credentials...
CVE-2026-35413
Directus CVE-2026-35413 exposes schema structure via the server_specs_graphql resolver on /graphql/system when GRAPHQL_INTROSPECTION is false. Multiple trusted sources (Directus advisories, Red Hat, OSV, Snyk, etc.) confirm that before version 11.16.1, SDL-style schema data could be retrieved by ...
CVE-2026-35411
Directus prior to 11.16.1 is vulnerable to an open redirect on the /admin/tfa-setup page via the redirect parameter. An administrator who has not configured 2FA can be presented with the legitimate 2FA setup page, and after completing setup the app redirects to an attacker‑controlled URL without ...
CVE-2026-26185
Directus before v11.14.1 is affected by a timing-based user enumeration vulnerability in the password reset flow. When an invalid reset_url is supplied, responses differ by about 500ms between existing and non-existing users, enabling enumeration of valid usernames. The issue is fixed in v11.14.1...
CVE-2026-35409
Directus SSRF protection bypass (CVE-2026-35409) arises from inadequate normalization of IPv4-mapped IPv6 addresses in the deny-list, allowing requests to internal/private targets to bypass the IP filter in file import workflows. Affected product: Directus real-time API/dashboard; vulnerability f...
CVE-2026-22032
Directus before v11.14.0 has an open redirect in the SAML authentication callback endpoint. The RelayState used to preserve the original destination is not validated for the callback, enabling an attacker to redirect users to an arbitrary external URL after login completion. The issue affects bot...
CVE-2026-35441
Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...
CVE-2025-64746
Directus before 11.13.0 improperly cleans up field-level permissions when a field is deleted. A stale permission reference remains in the permissions table; if a new field with the same name is created, it inherits those outdated permissions, potentially granting access to data users should not r...
CVE-2026-39942
CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...
CVE-2026-35410
CVE-2026-35410 – Directus open redirect : The vulnerability lies in Directus’ login redirection logic, where the isLoginRedirectAllowed function can misclassify malformed URLs as internal, bypassing the redirect allow-list and sending authenticated users to arbitrary external domains. Affected so...
CVE-2025-64747
CVE-2025-64747 describes a stored XSS in Directus prior to version 11.13.0. Attackers with upload files and edit item permissions can inject JavaScript via the Block Editor interface. The technique exploits insufficient sanitization and uses an iframe with a srcdoc attribute to bypass CSP, enabli...
CVE-2026-35408
Summary of CVE-2026-35408 (Directus): Prior to 11.17.0, Directus SSO login pages did not send COOP headers, enabling a malicious cross-origin window to access/manipulate the login page and potentially intercept/redirect the OAuth flow to an attacker-controlled client. This could lead to unauthori...
CVE-2026-35442
CVE-2026-35442 affects Directus prior to 11.17.0, where aggregate functions (min/max) on fields with the concealed type can return raw database values instead of masked placeholders. When used with groupBy, any authenticated user with read access to the affected collection can extract concealed v...
CVE-2025-64748
CVE-2025-64748 affects Directus (real-time API and app dashboard for SQL databases). Prior to 11.13.0, authenticated users with read permissions can search concealed/sensitive fields; while actual values are masked, matching records reveal existence of those values, enabling data enumeration. Aff...
CVE-2025-64749
Directus REST API (version
CVE-2026-35412
Directus prior to 11.16.1 is vulnerable to an authorization bypass in the TUS resumable upload endpoint (/files/tus). The TUS controller only performs collection-level authorization on directus_files and does not validate item-level access for the target file, allowing any authenticated user with...