CVE-2026-35412
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on directus (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 11.16.1.
DescriptionGitHub Advisory
Summary
Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.
Impact
- Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in
directus_filesby UUID, regardless of row-level permission rules. - Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
- Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata.
Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.
Workaround
Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
AnalysisAI
Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Technical ContextAI
Directus is a popular open-source headless CMS and data platform built on Node.js. The TUS protocol (Tus Resumable Upload Standard) enables chunked file uploads that can survive network interruptions. This vulnerability (CWE-863: Incorrect Authorization) stems from a broken access control implementation in the TUS upload handler. While Directus enforces granular row-level permissions on the standard REST API (allowing policies like 'users can only modify their own files'), the TUS endpoint at /files/tus performs only collection-level checks against the directus_files table. When an authenticated user initiates a TUS upload with a target file UUID, the controller verifies the user has some permission on the files collection but never validates ownership or item-level access to the specific UUID being replaced. This architectural flaw creates a privilege escalation path where low-privilege users can modify high-privilege resources by exploiting the resumable upload feature.
RemediationAI
Immediately disable TUS resumable uploads by setting the environment variable TUS_ENABLED=false in your Directus configuration if chunked upload functionality is not operationally required-this provides instant mitigation with no code changes. For production environments requiring TUS functionality, monitor the official GitHub Security Advisory at https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89 for vendor-released patch announcements and upgrade to the patched version as soon as available. The advisory at https://github.com/advisories/GHSA-qqmv-5p3g-px89 should provide specific fixed version details when the patch is released. As a detective control, audit directus_files table modification logs for unexpected file overwrites by cross-referencing file UUIDs with user ownership records. Review and harden row-level permission policies to minimize the blast radius of any bypass vulnerabilities. For high-security environments, consider implementing application-layer monitoring to alert on TUS requests targeting file UUIDs not owned by the requesting user until the patch is deployed.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qqmv-5p3g-px89