Skip to main content

Directus CVE-2026-39943

| EUVD-2026-20952 MEDIUM
Information Exposure (CWE-200)
2026-04-09 GitHub_M
Information Disclosure Directus
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 16:30 euvd
EUVD-2026-20952
Analysis Generated
Apr 09, 2026 - 16:30 vuln.today
CVE Published
Apr 09, 2026 - 16:12 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on directus (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 11.17.0.

DescriptionGitHub Advisory

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.

AnalysisAI

Directus before 11.17.0 stores sensitive authentication and credential data in plaintext within revision records due to incomplete sanitization of revision snapshots, allowing authenticated users with database access to retrieve user tokens, 2FA secrets, external auth identifiers, and API keys from the directus_revisions table. The vulnerability affects all versions before 11.17.0 and requires low-privilege authenticated access to exploit; no public exploit code or active exploitation has been identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents moderate-to-high real-world risk despite the 6.5 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with low-privilege access to the Directus application (e.g., a content editor or junior developer) queries or exports the directus_revisions table via direct database access or API calls, revealing plaintext user authentication tokens, 2FA secrets, or external API credentials stored during item creation or modification. Alternatively, a database administrator or malicious insider with broader access extracts revision records as part of a data dump and gains unauthorized access to stored API keys or user credentials for lateral movement or privilege escalation. …
Remediation Vendor-released patch: Upgrade Directus to version 11.17.0 or later, which fixes the prepareDelta sanitization pipeline to consistently scrub sensitive fields from revision snapshots. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39943 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy