CVE-2026-35409

| EUVD-2026-19517 HIGH
2026-04-04 https://github.com/directus/directus GHSA-wv3h-5fx7-966h
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
EUVD ID Assigned
Apr 04, 2026 - 06:15 euvd
EUVD-2026-19517
CVE Published
Apr 04, 2026 - 06:10 nvd
HIGH 7.7

Tags

SSRF Canonical Microsoft

Description

### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. ### Details Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target. This has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation. ### Impact An authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).

Analysis

Server-Side Request Forgery (SSRF) in Directus headless CMS allows authenticated attackers (or unauthenticated users with public file-import permissions) to bypass IP address deny-list protections and access internal network resources. Attackers exploit IPv4-Mapped IPv6 address notation (e.g., ::ffff:127.0.0.1) to circumvent validation logic, enabling unauthorized requests to localhost services, internal databases, caches, APIs, and cloud instance metadata endpoints (AWS/GCP/Azure IMDS). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Directus instances in production and document versions. Disable or restrict file-import functionality for authenticated users pending remediation. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-35409 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy