Skip to main content

CVE-2026-35412

HIGH
Incorrect Authorization (CWE-863)
2026-04-04 https://github.com/directus/directus GHSA-qqmv-5p3g-px89
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 16:52 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
CVE Published
Apr 04, 2026 - 06:11 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.16.1.

DescriptionGitHub Advisory

Summary

Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

Impact

  • Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.
  • Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
  • Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata.

Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

Workaround

Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Technical ContextAI

Directus is a popular open-source headless CMS and data platform built on Node.js. The TUS protocol (Tus Resumable Upload Standard) enables chunked file uploads that can survive network interruptions. This vulnerability (CWE-863: Incorrect Authorization) stems from a broken access control implementation in the TUS upload handler. While Directus enforces granular row-level permissions on the standard REST API (allowing policies like 'users can only modify their own files'), the TUS endpoint at /files/tus performs only collection-level checks against the directus_files table. When an authenticated user initiates a TUS upload with a target file UUID, the controller verifies the user has some permission on the files collection but never validates ownership or item-level access to the specific UUID being replaced. This architectural flaw creates a privilege escalation path where low-privilege users can modify high-privilege resources by exploiting the resumable upload feature.

RemediationAI

Immediately disable TUS resumable uploads by setting the environment variable TUS_ENABLED=false in your Directus configuration if chunked upload functionality is not operationally required-this provides instant mitigation with no code changes. For production environments requiring TUS functionality, monitor the official GitHub Security Advisory at https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89 for vendor-released patch announcements and upgrade to the patched version as soon as available. The advisory at https://github.com/advisories/GHSA-qqmv-5p3g-px89 should provide specific fixed version details when the patch is released. As a detective control, audit directus_files table modification logs for unexpected file overwrites by cross-referencing file UUIDs with user ownership records. Review and harden row-level permission policies to minimize the blast radius of any bypass vulnerabilities. For high-security environments, consider implementing application-layer monitoring to alert on TUS requests targeting file UUIDs not owned by the requesting user until the patch is deployed.

Share

CVE-2026-35412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy