CVE-2026-61836 in Directus
Summary
by MITRE • 07/15/2026
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability described affects Directus versions prior to 12.0.0 and represents a critical authorization bypass through improper cache key derivation mechanisms. This flaw exists within the api/src/utils/get-cache-key.ts file where the system generates cache keys for API responses, fundamentally undermining the security model of the application. The cache key generation process includes version, path, query parameters, and user accountability information but deliberately excludes crucial authorization context elements including share identifiers, role assignments, administrative privileges, application-level permissions, and policy enforcement mechanisms.
The technical implementation flaw stems from incomplete cache key composition that fails to incorporate essential permission-related variables necessary for maintaining proper access controls. When response caching is enabled, this vulnerability allows attackers to exploit the absence of authorization context in cache key generation, creating a scenario where different users with varying permission levels can inadvertently receive cached responses meant for other users. The specific omission of share, role, roles, admin, app, and policies from the cache key calculation creates predictable collision points that bypass normal permission evaluation processes.
This vulnerability directly impacts the principle of least privilege and authorization integrity within the Directus application architecture, as it enables unauthorized information disclosure through cached responses. The issue becomes particularly dangerous when considering that both direct share tokens and anonymous requests can resolve to user null in the cache key derivation process, creating a scenario where legitimate users with different permission levels receive identical cached responses without re-evaluation of their specific authorization contexts. This behavior violates fundamental security principles around access control enforcement and data segregation.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable privilege escalation scenarios where attackers can gain access to content normally restricted to other user roles or share configurations. Attackers could craft requests that, when cached, would subsequently be served to users with higher privileges, effectively bypassing the intended authorization boundaries. This type of vulnerability aligns with CWE-284 Access Control Issues and represents a classic case of insufficient authorization checks in caching mechanisms.
From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation through cache poisoning and unauthorized access via weak access control enforcement. The fix implemented in Directus version 12.0.0 addresses the core issue by ensuring that all relevant authorization context is properly included in cache key derivation, thereby preventing different users from receiving cached responses intended for other permission levels. This remediation approach aligns with industry best practices for secure caching implementations where authorization context must be integral to cache key generation to maintain proper access control boundaries.
Organizations using Directus versions prior to 12.0.0 should immediately implement mitigation strategies including disabling response caching until the upgrade is complete, monitoring cache behavior for anomalous access patterns, and ensuring proper authorization enforcement even when cached responses are served. The vulnerability demonstrates the critical importance of comprehensive security testing around caching mechanisms and highlights the need for thorough consideration of all authorization factors during cache key generation processes to prevent such authorization bypass scenarios.