CVE-2026-35410

| EUVD-2026-19518 MEDIUM
2026-04-04 https://github.com/directus/directus GHSA-cf45-hxwj-4cfj
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
EUVD ID Assigned
Apr 04, 2026 - 06:15 euvd
EUVD-2026-19518
CVE Published
Apr 04, 2026 - 06:09 nvd
MEDIUM 6.1

Tags

Open Redirect

Description

### Summary An open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. ### Details A parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references. This is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process. ### Impact - **Phishing:** Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating. - **Credential/token theft:** The redirect can be chained to capture OAuth tokens or authorization codes. - **Trust erosion:** Users lose confidence in the application after being redirected to unexpected domains post-login.

Analysis

Open redirect vulnerability in Directus login redirection logic allows unauthenticated attackers to bypass URL allow-list validation through malformed URLs containing backslashes, silently redirecting authenticated users to arbitrary external domains. The vulnerability exploits a parser differential between server-side validation and browser URL normalization, creating a phishing vector particularly dangerous in SSO/OAuth2 flows where attackers can capture authentication tokens without visible user indication. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2026-35410 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy