Resource Exhaustion Vulnerability in Directus API by Directus
CVE-2026-35441

6.5MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35441?

Prior to version 11.17.0, Directus' GraphQL endpoints posed a resource exhaustion risk due to a flaw where resolver invocations were not deduplicated within a single request. Authenticated users could exploit GraphQL aliasing, leading to repeated execution of complex relational queries. This could overload the server by causing numerous independent database queries to run concurrently, dramatically increasing the database load. The existing token limit on GraphQL queries did not sufficiently mitigate this risk, allowing enough aliases for significant resource depletion. Without rate limiting enabled by default, this vulnerability could lead to CPU, memory, and I/O exhaustion, affecting the overall service availability. The issue has been addressed and resolved in version 11.17.0.

Affected Version(s)

directus < 11.17.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35441 Data

JSON