What is the CVSS score of CVE-2026-35412?

CVE-2026-35412 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

CVE-2026-35412

HIGH

Incorrect Authorization (CWE-863)

2026-04-04 https://github.com/directus/directus

GHSA-qqmv-5p3g-px89

Authentication Bypass Privilege Escalation File Upload

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 16:52 vuln.today

cvss_changed

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 04, 2026 - 06:15 vuln.today

CVE Published

Apr 04, 2026 - 06:11 nvd

HIGH 7.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.16.1.

DescriptionNVD

Summary

Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

Impact

Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.
Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata.

Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

Workaround

Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

AnalysisAI

Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. …

RemediationAI

Within 24 hours: Identify all Directus deployments in your environment and document which npm package versions are currently deployed. Within 7 days: Restrict file upload permissions to administrative users only and conduct audit logs for unauthorized file modifications in the past 30 days, particularly in /files/tus endpoints. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35412 vulnerability details – vuln.today

Back