CVE-2026-35442: Directus Concealed Field Data Leak (HIGH)
Plattform
nodejs
Komponente
directus
Behoben in
11.17.0
CVE-2026-35442 is a vulnerability in Directus where aggregate functions applied to fields with the `conceal` special type incorrectly return raw database values instead of the masked placeholder. When combined with `groupBy`, any authenticated user with read access can extract concealed field values. This issue is fixed in Directus version 11.17.0.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-35442?
CVE-2026-35442 is a vulnerability in Directus that allows leakage of concealed field values through aggregate functions.
Am I affected by CVE-2026-35442?
You are affected if you are using a version of Directus prior to 11.17.0 and using the conceal field type with aggregate functions.
How can I fix CVE-2026-35442?
Upgrade your Directus instance to version 11.17.0 or later to resolve this vulnerability.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten