File Overwrite Vulnerability in Directus by Directus
CVE-2026-39942

8.5HIGH

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-39942?

Directus, an API and app dashboard for managing SQL database content, contains a vulnerability in its PATCH /files/{id} endpoint prior to version 11.17.0. This issue allows an attacker to exploit the user-controlled filename_disk parameter to overwrite files belonging to other users. By altering the parameter, an attacker could substitute their own filename with a path that compromises another user's stored files. Furthermore, the attacker could manipulate the metadata fields, such as uploaded_by, to hide the evidence of their unauthorized actions, creating significant risks for data integrity and security. This vulnerability has been addressed in the release of Directus version 11.17.0, which mitigates the issue effectively.

Affected Version(s)

directus < 11.17.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/releases/tag/v11.17.0

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39942 Data

JSON