Skip to main content

Google CVE-2026-35408

HIGH
Origin Validation Error (CWE-346)
2026-04-04 https://github.com/directus/directus GHSA-8m32-p958-jg99
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 17:07 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
CVE Published
Apr 04, 2026 - 06:06 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.17.0.

DescriptionGitHub Advisory

Summary

Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord).

Impact

A successful attack allows the attacker to obtain an OAuth access token for the victim's third-party identity provider account. Depending on the scopes authorized, this can lead to:

  • Unauthorized access to the victim's linked identity provider account
  • Account takeover of the Directus instance if the attacker can authenticate using the stolen credentials or provider session

Patches

This issue has been addressed by adding the Cross-Origin-Opener-Policy: same-origin HTTP response header to SSO-related endpoints. This header instructs the browser to place the page in its own browsing context group, severing any reference the opener window may hold.

Workarounds

Users who are unable to upgrade immediately can mitigate this vulnerability by configuring their reverse proxy or web server to add the following HTTP response header to all Directus responses: Cross-Origin-Opener-Policy: same-origin

AnalysisAI

OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.

Technical ContextAI

Directus is an open-source headless CMS platform (npm package: directus) that supports Single Sign-On authentication via OAuth providers like Google and Discord. This vulnerability stems from CWE-346 (Origin Validation Error), specifically the absence of Cross-Origin-Opener-Policy (COOP) HTTP response headers on SSO endpoints. COOP is a browser security mechanism that controls whether a cross-origin document can retain a reference to a window it opened. Without COOP: same-origin, when a malicious site opens a Directus SSO login page via window.open(), it maintains access to the opened window's JavaScript context. This enables the attacker to monitor navigation events and inject malicious code that redirects the OAuth authorization callback to an attacker-controlled OAuth client ID, effectively performing a client-side authorization code interception attack. The vulnerability exploits the trust relationship between OAuth identity providers and client applications, leveraging the victim's authenticated session with the provider.

RemediationAI

Vendor-released patch available addressing this vulnerability by adding Cross-Origin-Opener-Policy: same-origin HTTP response headers to all SSO-related endpoints in Directus. Organizations should upgrade to the latest patched version of the Directus npm package immediately, with specific fixed version details available in the GitHub security advisory at https://github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99. For environments unable to upgrade immediately, implement temporary mitigation by configuring reverse proxy or web server (nginx, Apache, Cloudflare, etc.) to inject the Cross-Origin-Opener-Policy: same-origin header on all responses from Directus application servers. This workaround provides equivalent protection until application upgrade completes. Verify remediation by inspecting HTTP response headers on SSO login endpoints using browser developer tools or curl commands. After patching, no additional configuration changes required as fix is implemented at application level. Organizations should also review OAuth client configurations with identity providers to identify any suspicious or unauthorized client registrations that may indicate prior exploitation attempts.

Share

CVE-2026-35408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy