CVE-2026-35411
MEDIUM
GHSA-q75c-4gmv-mg9x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Tags
Description
### Summary Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the `redirect` parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. ### Credits Discovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)
Analysis
Open redirect vulnerability in Directus allows unauthenticated attackers to redirect administrators to attacker-controlled URLs after 2FA setup completion via crafted `/admin/tfa-setup` redirect parameter. The attack leverages user interaction on the trusted Directus domain before redirecting to a malicious site, enabling phishing campaigns targeting administrators. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today