CVE-2026-35409: Directus SSRF Bypass - v11.16.0 Fix
Platform
nodejs
Component
directus
Fixed in
11.16.0
A Server-Side Request Forgery (SSRF) vulnerability exists in Directus, allowing attackers to bypass IP address validation and potentially access internal resources. This bypass occurs because IPv4-Mapped IPv6 addresses are not properly normalized before being checked against the deny-list. The vulnerability impacts Directus versions before 11.16.0, and a patch is available in version 11.16.0.
How to fix
Actualice Directus a la versión 11.16.0 o superior para mitigar la vulnerabilidad de SSRF. Esta actualización corrige la validación de direcciones IP, previniendo el bypass a través de direcciones IPv4-Mapped IPv6.
Frequently asked questions
What is CVE-2026-35409?
CVE-2026-35409 is a Server-Side Request Forgery (SSRF) vulnerability in Directus. It allows attackers to bypass IP address validation by using IPv4-Mapped IPv6 addresses, potentially leading to unauthorized access to internal resources.
Am I affected by this vulnerability?
You are affected if you are running Directus versions prior to 11.16.0. If you are using a version of Directus 11.16.0 or later, you are not vulnerable to this specific SSRF bypass.
How do I fix this vulnerability?
Upgrade to Directus version 11.16.0 or later to resolve this SSRF bypass vulnerability. This version includes a fix for the improper normalization of IPv4-Mapped IPv6 addresses.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free