CVE-2026-35442 in Directus정보

요약

\~에 의해 MITRE • 2026. 04. 07.

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

GitHub M

예약하다

2026. 04. 02.

공개

2026. 04. 07.

모더레이션

수락

항목

VDB-355693

CPE

준비됨

CWE

CWE-200 (확인됨)

CVSS

8.1 (CNA)

EPSS

0.00018

KEV

아니요

활동

매우 낮음

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-35442
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-35442
CVE Details	https://www.cvedetails.com/cve/CVE-2026-35442/

◂ 이전 개요 다음 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!