Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Feb 13, 2026
Directus Affected by User Enumeration via Password Reset Timing Attack
CVE-2026-26185
Description
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 11.14.1 | 11.14.1 |
@directus/apinpm | < 32.2.0 | 32.2.0 |
Affected products
2- directus/@directus/apiv5Range: < 32.2.0
Patches
1e69aa7a5248cMerge from fork (#26485)
2 files changed · +9 −4
api/src/services/users.ts+4 −4 modified@@ -558,17 +558,17 @@ export class UsersService extends ItemsService { const STALL_TIME = 500; const timeStart = performance.now(); + if (url && isUrlAllowed(url, env['PASSWORD_RESET_URL_ALLOW_LIST'] as string) === false) { + throw new InvalidPayloadError({ reason: `URL "${url}" can't be used to reset passwords` }); + } + const user = await this.getUserByEmail(email); if (user?.status !== 'active') { await stall(STALL_TIME, timeStart); throw new ForbiddenError(); } - if (url && isUrlAllowed(url, env['PASSWORD_RESET_URL_ALLOW_LIST'] as string) === false) { - throw new InvalidPayloadError({ reason: `URL "${url}" can't be used to reset passwords` }); - } - const mailService = new MailService({ schema: this.schema, knex: this.knex,
.changeset/olive-squids-tease.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@directus/api': patch +--- + +Fixed password reset timing
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jr94-gj3h-c8rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26185ghsaADVISORY
- github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2aghsax_refsource_MISCWEB
- github.com/directus/directus/pull/26485ghsax_refsource_MISCWEB
- github.com/directus/directus/releases/tag/v11.14.1ghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.