Skip to main content

Directus CVE-2026-61836

| EUVDEUVD-2026-44673 HIGH
Use of Cache Containing Sensitive Information (CWE-524)
2026-07-15 GitHub_M
8.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.8 MEDIUM

Unauthenticated and network-reachable (PR:N/AV:N), but AC:H because exploitation depends on a cache entry pre-populated by a differently-scoped principal; scope changes (S:C) as one principal's data leaks to another, with pure confidentiality impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:19 vuln.today
Analysis Generated
Jul 15, 2026 - 15:19 vuln.today
CVE Published
Jul 15, 2026 - 14:17 cve.org
HIGH 8.6

DescriptionCVE.org

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.

AnalysisAI

Cross-context cache disclosure in Directus before 12.0.0 lets share-token holders and anonymous clients receive permission-filtered responses that were cached for a differently-scoped principal, because the cache key omits authorization context. When response caching is enabled, the key derived in api/src/utils/get-cache-key.ts covers only version, path, query, and accountability.user; since share tokens and anonymous requests both collapse to user null, requests to the same URL and query share a cache bucket and skip permission re-evaluation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify cached Directus endpoint
Delivery
Wait for/trigger privileged cache population
Exploit
Request identical URL as anonymous or other share
Execution
Receive mis-scoped cached response
Impact
Read unauthorized filtered data

Vulnerability AssessmentAI

Exploitation Exploitation requires response caching to be enabled in Directus (not enabled by default), and requires that a cacheable response for the exact same path and query string was already cached by a principal with different effective permissions - specifically a Directus share token or an authenticated user whose accountability.user resolves differently from the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, base 8.6) reflects a network-reachable, unauthenticated confidentiality breach with a scope change, which matches a cache that leaks one principal's authorized data to another. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Directus instance with response caching enabled, a share link (or an authenticated user) first requests a filtered collection endpoint, populating the cache with a permission-filtered response. An anonymous visitor or a holder of a different share token then requests the identical URL and query and is served that cached response without permission re-evaluation, disclosing records they should not see. …
Remediation Vendor-released patch: upgrade to Directus 12.0.0 (https://github.com/directus/directus/releases/tag/v12.0.0), which namespaces cache keys by share and prevents cross-context collisions. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory Directus deployments and confirm which have response caching enabled to determine exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-10723 CRITICAL POC
9.8 May 05

Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra

CVE-2021-29641 HIGH POC
8.8 Apr 07

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl

CVE-2021-26594 HIGH POC
8.8 Feb 23

In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr

CVE-2025-30353 HIGH POC
8.6 Mar 26

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu

CVE-2024-27295 HIGH POC
8.2 Mar 01

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu

CVE-2024-39701 HIGH POC
7.7 Jul 08

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu

CVE-2024-54151 HIGH POC
7.5 Dec 09

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2024-36128 HIGH POC
7.5 Jun 03

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2023-26492 HIGH POC
7.5 Mar 03

Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu

CVE-2021-26593 HIGH POC
7.5 Feb 23

In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (

CVE-2024-45596 MEDIUM POC
6.5 Sep 10

Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this

CVE-2024-39895 MEDIUM POC
6.5 Jul 08

Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this

Share

CVE-2026-61836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy