Server-Side Request Forgery Bypass in Directus API Management Tool
CVE-2026-35409

7.7HIGH

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35409?

A flaw has been identified in Directus, a powerful API and application dashboard for SQL database management. Prior to version 11.16.0, the software was susceptible to a Server-Side Request Forgery (SSRF) protection bypass. This security issue arose from an inadequate IP address validation mechanism, which failed to properly block requests to local and private networks. Attackers could exploit this weakness utilizing IPv4-Mapped IPv6 address notation, compromising the integrity and security of the application. The vulnerability has been addressed in version 11.16.0.

Affected Version(s)

directus < 11.16.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35409 Data

JSON