CVE-2026-35412

EPSS 0.03%
Veröffentlicht 06.04.2026 21:33:44
Zuletzt bearbeitet 20.04.2026 16:40:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. This vulnerability is fixed in 11.16.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version < 11.16.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.094

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-35412

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35412

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35412

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35412