Skip to main content

CVE-2026-35442

HIGH
Information Exposure (CWE-200)
2026-04-04 https://github.com/directus/directus GHSA-38hg-ww64-rrwc
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 16:37 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
CVE Published
Apr 04, 2026 - 06:13 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.17.0.

DescriptionGitHub Advisory

Summary

Aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users.

Details

Fields marked with conceal are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client.

Impact

  • Account Takeover An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials.
  • 2FA Bypass TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account.

AnalysisAI

Directus CMS aggregate query functions bypass field-level concealment controls, exposing static API tokens and TOTP secrets from the directus_users table to any authenticated user with read access. Attackers can extract credentials for all accounts via min/max operations combined with groupBy clauses, enabling account takeover and two-factor authentication bypass. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication. No public exploit code or CISA KEV listing identified at time of analysis, though the attack vector is clearly documented in the GitHub security advisory.

Technical ContextAI

Directus is an open-source headless CMS (pkg:npm/directus) that implements field-level security through a 'conceal' special type, designed to mask sensitive values like API tokens and TOTP seeds during read operations. The vulnerability stems from an architectural inconsistency in how aggregate query results are processed. Standard item queries return flat key-value pairs that the masking logic correctly intercepts, but aggregate functions (min, max) nest results under function names as structured objects. The payload processing layer fails to recursively traverse this nested structure, causing it to skip concealment enforcement entirely. This represents a classic CWE-200 Information Exposure issue where security controls are inconsistently applied across different code paths accessing the same sensitive data. The directus_users collection stores authentication credentials including static API tokens (long-lived bearer tokens for service accounts) and TOTP seeds (base32-encoded secrets for time-based one-time passwords), making it the highest-value target for this attack technique.

RemediationAI

Apply the vendor-released security patch available through the official GitHub security advisory at https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc and https://github.com/advisories/GHSA-38hg-ww64-rrwc. The advisory should specify patched versions for npm package upgrade; administrators should update to the latest stable release that includes the fix for aggregate query payload processing. As an interim workaround until patching is complete, restrict read permissions on the directus_users collection to only highly privileged administrator roles, preventing low-privilege accounts from executing any queries (including aggregates) against authentication credential tables. Review access control policies to ensure concealed fields are protected by role-based permissions in addition to field-level masking, implementing defense-in-depth. Audit application logs for unexpected aggregate queries against directus_users or other collections with concealed fields to identify potential exploitation attempts. After patching, rotate all static API tokens and regenerate TOTP secrets for affected user accounts to invalidate any credentials potentially harvested during the vulnerability window.

Share

CVE-2026-35442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy