CVE-2026-35412HIGH 8.1EPSS p21.7%

CVE-2026-35412CVE-2026-35412

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. This vulnerability is fixed in 11.16.1.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.7% · 2026-06-18T12:00:27Z
Published2026-04-06
Last modified2026-04-20

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39942
CVE
CVE-2026-35442
CVE
CVE-2026-35408
CVE
CVE-2026-29188
CVE
CVE-2026-32759
CVE
CVE-2026-35604
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.