Data Exposure Vulnerability in Directus API Dashboard by Directus
CVE-2026-35442

8.1HIGH

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35442?

The vulnerability in Directus allows authenticated users to retrieve sensitive data through incorrectly handled aggregate functions. Prior to version 11.17.0, when using the conceal field type, these functions returned raw database values instead of masked placeholders. This flaw can lead to unauthorized access to sensitive information such as static API tokens and two-factor authentication secrets from the directus_users collection, posing significant security risks to applications utilizing Directus for database management.

Affected Version(s)

directus < 11.17.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35442 Data

JSON