CVE-2026-35442: Directus Conceal Field Leak - HIGH
Platform
nodejs
Component
directus
Fixed in
11.17.0
CVE-2026-35442 is a security vulnerability affecting Directus content management systems. It involves an incorrect implementation of the `conceal` field type, which is designed to mask sensitive data. This flaw allows authenticated users to bypass the masking and extract raw database values, potentially exposing sensitive information like API tokens and two-factor authentication secrets. The vulnerability impacts Directus versions prior to 11.17.0, and a fix is available in version 11.17.0.
How to fix
Actualice Directus a la versión 11.17.0 o superior para corregir la vulnerabilidad. Esta actualización corrige el manejo incorrecto de los campos ocultos en las consultas agregadas, evitando la extracción de datos sensibles por usuarios autenticados.
Frequently asked questions
What is CVE-2026-35442?
CVE-2026-35442 is a high-severity vulnerability in Directus where aggregate functions on 'conceal' fields incorrectly return raw database values instead of masked placeholders. This allows authenticated users to extract sensitive data like API tokens and 2FA secrets.
Am I affected by CVE-2026-35442?
You are affected if you are running Directus versions prior to 11.17.0 and have implemented 'conceal' fields. The vulnerability allows authenticated users with read access to potentially extract sensitive data from these fields.
How do I fix CVE-2026-35442?
Upgrade your Directus installation to version 11.17.0 or later. This version includes a patch that resolves the vulnerability and ensures that 'conceal' fields are properly masked.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free