CVE-2026-35442

HIGH
2026-04-04 https://github.com/directus/directus GHSA-38hg-ww64-rrwc
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:15 vuln.today
CVE Published
Apr 04, 2026 - 06:13 nvd
HIGH 8.1

Tags

Information Disclosure

Description

### Summary Aggregate functions (`min`, `max`) applied to fields with the `conceal` special type incorrectly return raw database values instead of the masked placeholder. When combined with `groupBy`, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from `directus_users`. ### Details Fields marked with `conceal` are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client. ### Impact - **Account Takeover** An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials. - **2FA Bypass** TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account.

Analysis

Directus CMS aggregate query functions bypass field-level concealment controls, exposing static API tokens and TOTP secrets from the directus_users table to any authenticated user with read access. Attackers can extract credentials for all accounts via min/max operations combined with groupBy clauses, enabling account takeover and two-factor authentication bypass. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Directus CMS deployments in your environment and document current versions; disable or restrict API aggregate query functions (min/max, groupBy operations) at the application level if possible; implement network-level access controls limiting API access to trusted sources only. Within 7 days: Contact Directus maintainers for patched version timeline and interim workarounds; implement application-level query filtering to prevent groupBy/aggregate function combinations on the directus_users table; conduct access audit of all API token holders. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2026-35442 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy