Open Redirect Vulnerability in Directus by Directus
CVE-2026-35410

6.1MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35410?

Directus, a real-time API and App dashboard designed for SQL database management, is susceptible to an open redirect vulnerability prior to version 11.16.1. This issue emerges from a flaw in the login redirection logic, specifically within the isLoginRedirectAllowed function. It incorrectly handles certain malformed URLs as external, enabling attackers to bypass the redirect allow-list validation. Consequently, users who authenticate successfully can be redirected to arbitrary external domains, potentially compromising their security. This vulnerability has been addressed and resolved in version 11.16.1.

Affected Version(s)

directus < 11.16.1

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35410 Data

JSON