Publish Advisories

GHSA-mvv8-v4jj-g47j
GHSA-ph52-67fq-75wj
GHSA-qqmv-5p3g-px89
GHSA-wv3h-5fx7-966h

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-mvv8-v4jj-g47j/GHSA-mvv8-v4jj-g47j.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mvv8-v4jj-g47j",
+  "modified": "2026-04-04T06:12:07Z",
+  "published": "2026-04-04T06:12:07Z",
+  "aliases": [],
+  "summary": "Directus: Sensitive fields exposed in revision history",
+  "details": "### Summary\n\nDirectus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.\n\nAdditionally, the same sensitive fields were missing from the redaction list used when Directus Flows logged operation payloads involving the `directus_users` collection.\n\n### Impact\nAny user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:\n- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`\n- `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key`\n\nThis could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.\n\n### Affected code paths\n\n1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.\n2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.\n3. **Flows** The payload redaction list used when writing flow logs was missing `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`, and the AI API key fields, causing these to be written unredacted into flow execution data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.17.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-312"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:12:07Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-ph52-67fq-75wj/GHSA-ph52-67fq-75wj.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ph52-67fq-75wj",
+  "modified": "2026-04-04T06:12:52Z",
+  "published": "2026-04-04T06:12:52Z",
+  "aliases": [
+    "CVE-2026-35441"
+  ],
+  "summary": "Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits",
+  "details": "### Summary\n\nDirectus' GraphQL endpoints (`/graphql` and `/graphql/system`) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition.\n\n### Fix\n\nA request-scoped resolver deduplication mechanism was introduced and applied broadly across all GraphQL read resolvers, both system and items endpoints. When multiple aliases in a single request invoke the same resolver with identical arguments, only the first call executes; all subsequent aliases share its result. This eliminates the amplification factor regardless of how many aliases a query contains.\n\n### Impact\n\n- **Service degradation or outage:** Concurrent complex database queries exhaust the connection pool and server resources, affecting all users\n- **Low privilege required:** Any authenticated user, including those with read-only access to a single collection, can trigger this condition\n- **Linear scaling:** Impact scales with the number of aliases and depth of relational queries\n- **Compounded by concurrency:** Multiple simultaneous requests multiply the effect further",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.17.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:12:52Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-qqmv-5p3g-px89/GHSA-qqmv-5p3g-px89.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qqmv-5p3g-px89",
+  "modified": "2026-04-04T06:11:18Z",
+  "published": "2026-04-04T06:11:18Z",
+  "aliases": [
+    "CVE-2026-35412"
+  ],
+  "summary": "Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite",
+  "details": "## Summary\n\nDirectus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on `directus_files`, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., \"users can only update their own files\") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.\n\n## Impact\n\n- **Arbitrary file overwrite:** Any authenticated user with basic TUS upload permissions can overwrite any file in `directus_files` by UUID, regardless of row-level permission rules.\n- **Permanent data loss:** The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.\n- **Metadata corruption:** The victim file's database record is updated with the attacker's filename, type, and size metadata.\nPrivilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in `directus_files`, a low-privilege user could replace them with malicious content.\n\n## Workaround\n\nDisable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.16.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:11:18Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-wv3h-5fx7-966h/GHSA-wv3h-5fx7-966h.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wv3h-5fx7-966h",
+  "modified": "2026-04-04T06:10:53Z",
+  "published": "2026-04-04T06:10:53Z",
+  "aliases": [
+    "CVE-2026-35409"
+  ],
+  "summary": "Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import",
+  "details": "### Summary\nA Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.\n\n### Details\nDirectus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target.\n\nThis has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation.\n\n### Impact\nAn authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "directus"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.16.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/directus/directus"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20",
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T06:10:53Z",
+    "nvd_published_at": null
+  }
+}