Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit dd7d8068184c · 2026-04-04T06:10:59.000Z
GHSA-cf45-hxwj-4cfj GHSA-q75c-4gmv-mg9x GHSA-wxwm-3fxv-mrvx
diff --git a/advisories/github-reviewed/2026/04/GHSA-cf45-hxwj-4cfj/GHSA-cf45-hxwj-4cfj.json b/advisories/github-reviewed/2026/04/GHSA-cf45-hxwj-4cfj/GHSA-cf45-hxwj-4cfj.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cf45-hxwj-4cfj",
+  "modified": "2026-04-04T06:09:55Z",
+  "published": "2026-04-04T06:09:55Z",
+  "aliases": [
+    "CVE-2026-35410"
+  ],
+  "summary": "Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow",
+  "details": "### Summary\n\nAn open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.\n\n### Details\n\nA parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.\n\nThis is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.\n\n### Impact\n\n- **Phishing:** Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.\n- **Credential/token theft:** The redirect can be chained to capture OAuth tokens or authorization codes.\n- **Trust erosion:** Users lose confidence in the application after being redirected to unexpected domains post-login.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.16.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184",
+      "CWE-20",
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:09:55Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-q75c-4gmv-mg9x/GHSA-q75c-4gmv-mg9x.json b/advisories/github-reviewed/2026/04/GHSA-q75c-4gmv-mg9x/GHSA-q75c-4gmv-mg9x.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q75c-4gmv-mg9x",
+  "modified": "2026-04-04T06:08:26Z",
+  "published": "2026-04-04T06:08:26Z",
+  "aliases": [
+    "CVE-2026-35411"
+  ],
+  "summary": "Directus: Open Redirect in Admin 2FA Setup Page",
+  "details": "### Summary\n\nDirectus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the `redirect` parameter without any validation.\n\nThis vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain.\n\n### Credits\nDiscovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.16.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:08:26Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-wxwm-3fxv-mrvx/GHSA-wxwm-3fxv-mrvx.json b/advisories/github-reviewed/2026/04/GHSA-wxwm-3fxv-mrvx/GHSA-wxwm-3fxv-mrvx.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wxwm-3fxv-mrvx",
+  "modified": "2026-04-04T06:10:27Z",
+  "published": "2026-04-04T06:10:27Z",
+  "aliases": [
+    "CVE-2026-35413"
+  ],
+  "summary": "Directus: GraphQL Schema SDL Disclosure Setting",
+  "details": "## Summary\n\nWhen `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly blocks standard GraphQL introspection queries (`__schema`, `__type`). However, the `server_specs_graphql` resolver on the `/graphql/system` endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level.\n\n## Impact\n\nAdministrators who set `GRAPHQL_INTROSPECTION=false` to hide schema structure from clients would have had a false sense of security, as equivalent schema information remained accessible via the SDL endpoint without authentication.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.16.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:10:27Z",
+    "nvd_published_at": null
+  }
+}
