Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Feb 13, 2026
Directus Affected by User Enumeration via Password Reset Timing Attack
CVE-2026-26185
Description
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 11.14.1 | 11.14.1 |
@directus/apinpm | < 32.2.0 | 32.2.0 |
Affected products
4- ghsa-coords2 versions
< 32.2.0+ 1 more
- (no CPE)range: < 32.2.0
- (no CPE)range: < 11.14.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-jr94-gj3h-c8rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26185ghsaADVISORY
- github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2aghsax_refsource_MISCWEB
- github.com/directus/directus/pull/26485ghsax_refsource_MISCWEB
- github.com/directus/directus/releases/tag/v11.14.1ghsax_refsource_MISCWEB
- github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.