anonhaven
Ad

CVE-2026-39942

HIGH CVSS 3.1: 8.5 EPSS 0.03%
Updated Apr 09, 2026
Directus
Parameter Value
CVSS 8.5 (HIGH)
Fixed In 11.17.0
Type CWE-639 (Authorization Bypass), CWE-284 (Improper Access Control)
Vendor Directus
Public PoC No

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.

This vulnerability is fixed in 11.17.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-639 Authorization Bypass
CWE-284 Improper Access Control

References 2

https://github.com/directus/directus/releases/tag/v11.17.0
security-advisories@github.com
https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39943

Directus

6.5

CVE-2026-35442

Directus

8.1

CVE-2026-35441

Directus

6.5

CVE-2026-35413

Directus

5.3

CVE-2026-35412

Directus

7.1