Skip to main content

Directus CVE-2026-61835

| EUVDEUVD-2026-44672 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-15 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable SSRF needing only low-privilege upload rights (PR:L) and no interaction; scope changes to internal systems (S:C) with high confidentiality but no integrity/availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:18 vuln.today
Analysis Generated
Jul 15, 2026 - 15:18 vuln.today
CVE Published
Jul 15, 2026 - 14:16 cve.org
HIGH 7.7

DescriptionCVE.org

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, the SSRF protection on Directus's file-import-from-URL feature can be bypassed using the address 0.0.0.0 because api/src/request/is-denied-ip.ts treats 0.0.0.0 as a keyword for local interfaces but never blocks the literal address itself. On Linux and macOS, connecting to 0.0.0.0 reaches localhost, so an authenticated user with file-upload rights can make the server fetch internal services through the /files/import endpoint and retrieve the response as a downloadable file. This issue is fixed in version 12.0.0.

AnalysisAI

Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with file-upload rights
Delivery
Call /files/import with http://0.0.0.0:<port> URL
Exploit
Bypass denylist via literal 0.0.0.0
Execution
Server fetches internal loopback service
Persist
Download stored response file
Impact
Exfiltrate internal data

Vulnerability AssessmentAI

Exploitation Requires an authenticated Directus account (prior to 12.0.0) that has file-upload/import permissions, and the server must run on Linux or macOS where a connection to the literal address 0.0.0.0 is routed to localhost. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7 High) is internally consistent with the description: network-reachable, low-complexity, requires low-privilege authentication (a user with file-upload rights), no user interaction, changed scope (the vulnerable app is pivoted to reach other systems), high confidentiality impact, and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Directus user who holds file-upload rights calls the /files/import endpoint with a URL such as http://0.0.0.0:<port>/ pointing at an internal service (for example a cloud metadata endpoint, admin API, or database dashboard bound to localhost). Because the denylist fails to block the literal 0.0.0.0, the server fetches the internal resource and stores the response as a downloadable file the attacker can then retrieve, exfiltrating internal data. …
Remediation Vendor-released patch: upgrade Directus to version 12.0.0 or later, which updates the IP denylist to parse the 0.0.0.0/8 subnet and block the IPv6 unspecified address :: (per PR #27606 and commit f75b25f); see the advisory at https://github.com/directus/directus/security/advisories/GHSA-j5h6-vqc3-phqh and release https://github.com/directus/directus/releases/tag/v12.0.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit and revoke file-upload permissions for all non-administrative users in Directus installations; document remaining privileged accounts and their business justification. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-10723 CRITICAL POC
9.8 May 05

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra

CVE-2021-29641 HIGH POC
8.8 Apr 07

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl

CVE-2021-26594 HIGH POC
8.8 Feb 23

In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr

CVE-2025-30353 HIGH POC
8.6 Mar 26

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu

CVE-2024-27295 HIGH POC
8.2 Mar 01

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu

CVE-2024-39701 HIGH POC
7.7 Jul 08

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu

CVE-2024-54151 HIGH POC
7.5 Dec 09

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2024-36128 HIGH POC
7.5 Jun 03

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2023-26492 HIGH POC
7.5 Mar 03

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2021-26593 HIGH POC
7.5 Feb 23

In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (

CVE-2024-45596 MEDIUM POC
6.5 Sep 10

Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this

CVE-2024-39895 MEDIUM POC
6.5 Jul 08

Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this

Share

CVE-2026-61835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy