npm package

@directus/api

pkg:npm/%40directus/api

Vulnerabilities (12)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-26185	—	< 32.2.0	32.2.0	Feb 12, 2026	Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 5
CVE-2026-22032	—	< 32.1.1	32.1.1	Jan 8, 2026	Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve t
CVE-2025-64749	—	< 32.0.0	32.0.0	Nov 13, 2025	Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two
CVE-2025-64748	—	< 32.0.0	32.0.0	Nov 13, 2025	Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful ma
CVE-2025-55746	—	>= 14.1.0, < 28.0.2	28.0.2	Aug 20, 2025	Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied
CVE-2025-30351	—	>= 18.0.0, < 24.0.1	24.0.1	Mar 26, 2025	Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a chec
CVE-2025-27089	—	>= 22.0.0, < 23.1.0	23.1.0	Feb 19, 2025	Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply
CVE-2024-54151	—	>= 22.2.0, < 23.2.0	23.2.0	Dec 9, 2024	Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operat
CVE-2024-47822	—	< 21.0.0	21.0.0	Oct 8, 2024	Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `ra
CVE-2024-46990	—	< 21.0.0	21.0.0	Sep 18, 2024	Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This is
CVE-2024-45596	—	< 21.0.1	21.0.1	Sep 10, 2024	Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoin
CVE-2024-39699	—	< 17.1.0	17.1.0	Jul 8, 2024	Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass t

CVE-2026-26185Feb 12, 2026
affected < 32.2.0fixed 32.2.0
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 5
CVE-2026-22032Jan 8, 2026
affected < 32.1.1fixed 32.1.1
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve t
CVE-2025-64749Nov 13, 2025
affected < 32.0.0fixed 32.0.0
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two
CVE-2025-64748Nov 13, 2025
affected < 32.0.0fixed 32.0.0
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful ma
CVE-2025-55746Aug 20, 2025
affected >= 14.1.0, < 28.0.2fixed 28.0.2
Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied
CVE-2025-30351Mar 26, 2025
affected >= 18.0.0, < 24.0.1fixed 24.0.1
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a chec
CVE-2025-27089Feb 19, 2025
affected >= 22.0.0, < 23.1.0fixed 23.1.0
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply
CVE-2024-54151Dec 9, 2024
affected >= 22.2.0, < 23.2.0fixed 23.2.0
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operat
CVE-2024-47822Oct 8, 2024
affected < 21.0.0fixed 21.0.0
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `ra
CVE-2024-46990Sep 18, 2024
affected < 21.0.0fixed 21.0.0
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This is
CVE-2024-45596Sep 10, 2024
affected < 21.0.1fixed 21.0.1
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoin
CVE-2024-39699Jul 8, 2024
affected < 17.1.0fixed 17.1.0
Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass t