CVE-2026-35442

EPSS 0.04%
Veröffentlicht 06.04.2026 21:36:57
Zuletzt bearbeitet 20.04.2026 16:32:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version < 11.17.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.114

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-35442

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35442

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35442

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35442