Skip to main content

Directus CVE-2026-39942

| EUVD-2026-20950 HIGH
Improper Access Control (CWE-284)
2026-04-09 GitHub_M GHSA-393c-p46r-7c95
Authentication Bypass Directus
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 16:30 euvd
EUVD-2026-20950
Analysis Generated
Apr 09, 2026 - 16:30 vuln.today
CVE Published
Apr 09, 2026 - 16:07 nvd
HIGH 8.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.17.0.

DescriptionGitHub Advisory

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.

AnalysisAI

{id} requests. Attackers can overwrite other users' file content and forge metadata fields (e.g., uploaded_by) to hide evidence of tampering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged user
Delivery
Send PATCH request to /files/{id}
Exploit
Set filename_disk to target file path
Execution
Overwrite victim file content
Impact
Manipulate uploaded_by metadata to hide tampering
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Directus versions prior to 11.17.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.5 reflects high integrity impact via authenticated file overwriting across scope boundaries. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Authenticated attacker with PATCH permissions calls PATCH /files/{id} with crafted filename_disk parameter pointing to another user's stored file path, overwriting its content. Metadata fields (uploaded_by, modified_at) are simultaneously manipulated to conceal attribution. …
Remediation Vendor-released patch: upgrade to Directus 11.17.0 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

{id} PATCH endpoints to administrative users only via authentication controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39942 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy