CVE-2026-35413
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 3 npm packages depend on directus (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 11.16.1.
DescriptionGitHub Advisory
Summary
When GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level.
Impact
Administrators who set GRAPHQL_INTROSPECTION=false to hide schema structure from clients would have had a false sense of security, as equivalent schema information remained accessible via the SDL endpoint without authentication.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
AnalysisAI
Directus allows information disclosure of GraphQL schema structure via the /graphql/system endpoint when GRAPHQL_INTROSPECTION=false is configured, exposing collection names, field names, types, and relationships to unauthenticated users and authenticated users at their permission level. The vulnerability bypasses the introspection control mechanism by returning an equivalent SDL (Schema Definition Language) representation through the server_specs_graphql resolver, giving administrators a false sense of security while schema information remains publicly accessible.
Technical ContextAI
Directus is a Node.js-based headless CMS that exposes GraphQL APIs for content management. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically an inconsistent security control implementation. The GRAPHQL_INTROSPECTION configuration is intended to disable the standard GraphQL introspection queries (__schema and __type), which are built into the GraphQL specification to allow clients to discover schema structure. However, the /graphql/system endpoint implements a separate server_specs_graphql resolver that returns the schema in SDL format-a functionally equivalent representation of the same schema information. Because this resolver was not subject to the same introspection restrictions, it bypassed the intended access control. The affected product is the directus npm package, which is the core headless CMS application.
RemediationAI
Update the Directus npm package to a patched version released by the Directus project. Consult the GitHub security advisory at https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx for the exact fix version and upgrade instructions. As a temporary workaround pending patching, administrators can restrict network access to the /graphql/system endpoint via firewall, API gateway, or reverse proxy rules to prevent unauthenticated access to the SDL resolver, though this should not be relied upon as a permanent mitigation.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wxwm-3fxv-mrvx