CVE-2026-35442 in Directusinformação

Sumário

de MITRE • 07/04/2026

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

02/04/2026

Divulgação

07/04/2026

Moderação

aceite

Entrada

VDB-355693

CPE

pronto

CWE

CWE-200 (confirmado)

CVSS

8.1 (CNA)

EPSS

0.00018

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-35442
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-35442
CVE Details	https://www.cvedetails.com/cve/CVE-2026-35442/

◂ Voltar Visão Geral Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!