Directus MySQL accent insensitive email matching
Description
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 10.8.3 | 10.8.3 |
Affected products
1Patches
1a8ef790ea2d2Merge pull request from GHSA-qw9g-7549-7wg5
1 file changed · +9 −7
api/src/services/users.ts+9 −7 modified@@ -139,9 +139,11 @@ export class UsersService extends ItemsService { /** * Get basic information of user identified by email */ - private async getUserByEmail(email: string): Promise<{ id: string; role: string; status: string; password: string }> { + private async getUserByEmail( + email: string + ): Promise<{ id: string; role: string; status: string; password: string; email: string }> { return await this.knex - .select('id', 'role', 'status', 'password') + .select('id', 'role', 'status', 'password', 'email') .from('directus_users') .whereRaw(`LOWER(??) = ?`, ['email', email.toLowerCase()]) .first(); @@ -393,13 +395,13 @@ export class UsersService extends ItemsService { const subjectLine = subject ?? "You've been invited"; await mailService.send({ - to: email, + to: user.email, subject: subjectLine, template: { name: 'user-invitation', data: { url: this.inviteUrl(email, url), - email, + email: user.email, }, }, }); @@ -451,7 +453,7 @@ export class UsersService extends ItemsService { accountability: this.accountability, }); - const payload = { email, scope: 'password-reset', hash: getSimpleHash('' + user.password) }; + const payload = { email: user.email, scope: 'password-reset', hash: getSimpleHash('' + user.password) }; const token = jwt.sign(payload, env['SECRET'] as string, { expiresIn: '1d', issuer: 'directus' }); const acceptURL = url @@ -461,13 +463,13 @@ export class UsersService extends ItemsService { const subjectLine = subject ? subject : 'Password Reset Request'; await mailService.send({ - to: email, + to: user.email, subject: subjectLine, template: { name: 'password-reset', data: { url: acceptURL, - email, + email: user.email, }, }, });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qw9g-7549-7wg5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27295ghsaADVISORY
- dev.mysql.com/doc/refman/8.0/en/charset-unicode-sets.htmlghsaWEB
- github.com/directus/directus/commit/a8ef790ea2d28b1727f9027d99bd360920d57919ghsaWEB
- github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5ghsax_refsource_CONFIRMWEB
- www.monolune.com/articles/what-is-the-utf8mb4_0900_ai_ci-collationghsaWEB
News mentions
0No linked articles in our index yet.