Cross-Origin Vulnerability in Directus Single Sign-On Login Pages
CVE-2026-35408

8.7HIGH

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35408?

Directus, a real-time API and management dashboard for SQL database content, has a vulnerability in its Single Sign-On (SSO) login pages due to the absence of a Cross-Origin-Opener-Policy (COOP) HTTP response header in versions prior to 11.17.0. This security flaw allows a malicious cross-origin window that interacts with the Directus login page to manipulate the window object, risking the interception and redirection of the OAuth authorization flow to an attacker-controlled OAuth client. Consequently, users may inadvertently grant access to their authentication provider accounts, such as Google or Discord. The issue has been addressed in version 11.17.0.

Affected Version(s)

directus < 11.17.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35408 Data

JSON