Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Unauthenticated and network-reachable (PR:N/AV:N), but AC:H because exploitation depends on a cache entry pre-populated by a differently-scoped principal; scope changes (S:C) as one principal's data leaks to another, with pure confidentiality impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.
AnalysisAI
Cross-context cache disclosure in Directus before 12.0.0 lets share-token holders and anonymous clients receive permission-filtered responses that were cached for a differently-scoped principal, because the cache key omits authorization context. When response caching is enabled, the key derived in api/src/utils/get-cache-key.ts covers only version, path, query, and accountability.user; since share tokens and anonymous requests both collapse to user null, requests to the same URL and query share a cache bucket and skip permission re-evaluation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires response caching to be enabled in Directus (not enabled by default), and requires that a cacheable response for the exact same path and query string was already cached by a principal with different effective permissions - specifically a Directus share token or an authenticated user whose accountability.user resolves differently from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, base 8.6) reflects a network-reachable, unauthenticated confidentiality breach with a scope change, which matches a cache that leaks one principal's authorized data to another. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Directus instance with response caching enabled, a share link (or an authenticated user) first requests a filtered collection endpoint, populating the cache with a permission-filtered response. An anonymous visitor or a holder of a different share token then requests the identical URL and query and is served that cached response without permission re-evaluation, disclosing records they should not see. … |
| Remediation | Vendor-released patch: upgrade to Directus 12.0.0 (https://github.com/directus/directus/releases/tag/v12.0.0), which namespaces cache keys by share and prevents cross-context collisions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory Directus deployments and confirm which have response caching enabled to determine exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44673