File Overwrite Vulnerability in Directus by Directus
CVE-2026-35412

7.1HIGH

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35412?

Directus, a real-time API and dashboard application for managing SQL database content, has a vulnerability within its TUS resumable upload feature. Prior to version 11.16.1, this vulnerability allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files using their UUID. The TUS controller only performs collection-level authorization checks without verifying item-level access for the specific files being replaced. Consequently, users can bypass row-level permission rules, allowing unauthorized updates to files they do not own. This poses a significant risk to data integrity and confidentiality, which is addressed in the release of version 11.16.1.

Affected Version(s)

directus < 11.16.1

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35412 Data

JSON