Authorization Context Oversight in Directus API Caching Mechanism
CVE-2026-61836
8.6HIGH
What is CVE-2026-61836?
Directus is a robust real-time API and app dashboard designed for managing SQL database content. A vulnerability exists in versions prior to 12.0.0 related to the caching mechanism when response caching is enabled. The cache-key derivation process fails to include critical authorization contexts, such as share, role, and policies. This oversight allows different shares or anonymous clients to potentially access a permission-filtered cached response without re-evaluation of permissions, rendering the system insecure. The issue has been addressed in version 12.0.0, reinforcing the importance of proper context handling in caching mechanisms.
Affected Version(s)
directus < 12.0.0
