Authorization Context Oversight in Directus API Caching Mechanism
CVE-2026-61836

8.6HIGH

Key Information:

Vendor

Directus

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61836?

Directus is a robust real-time API and app dashboard designed for managing SQL database content. A vulnerability exists in versions prior to 12.0.0 related to the caching mechanism when response caching is enabled. The cache-key derivation process fails to include critical authorization contexts, such as share, role, and policies. This oversight allows different shares or anonymous clients to potentially access a permission-filtered cached response without re-evaluation of permissions, rendering the system insecure. The issue has been addressed in version 12.0.0, reinforcing the importance of proper context handling in caching mechanisms.

Affected Version(s)

directus < 12.0.0

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.