Platform
nodejs
Component
directus
Fixed in
11.17.1
11.17.0
CVE-2026-35408 affects Directus, an open-source headless CMS. This vulnerability stems from the absence of a Cross-Origin-Opener-Policy (COOP) HTTP response header on Directus's Single Sign-On (SSO) login pages. An attacker can exploit this to redirect the OAuth authorization flow, potentially compromising user accounts linked to authentication providers like Google or Discord. Upgrade to version 11.17.0 to resolve this issue.
The core of the vulnerability lies in the missing COOP header. Without it, a malicious website can open the Directus login page within an iframe. This allows the attacker to manipulate the Directus page's window object, effectively intercepting and redirecting the OAuth authorization flow. The attacker can then set up a rogue OAuth client and trick a user into authenticating with it, unknowingly granting the attacker access to their authentication provider account. This could lead to unauthorized access to sensitive data and potentially complete account takeover, depending on the permissions granted to the OAuth application.
This vulnerability was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation in the wild, but the availability of a public description makes it a potential target. The ease of exploitation, combined with the potential impact, warrants immediate attention. The vulnerability does not appear to be listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Directus to version 11.17.0 or later, which includes the necessary COOP header. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to add the Cross-Origin-Opener-Policy: same-origin header to the Directus SSO login pages. This is a temporary workaround and should be replaced with a proper upgrade as soon as possible. Monitor authentication logs for suspicious OAuth redirection attempts. After upgrading, confirm the presence of the COOP header by inspecting the HTTP response headers of the Directus SSO login page using browser developer tools or curl -I <directusssourl>.
Update Directus to version 11.17.0 or higher to mitigate the vulnerability. This update implements the Cross-Origin-Opener-Policy (COOP) header, which protects against malicious websites manipulating the OAuth authorization flow.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35408 is a HIGH severity vulnerability in Directus where the absence of a COOP header allows attackers to redirect OAuth flows, potentially gaining access to user authentication provider accounts.
You are affected if you are using Directus versions prior to 11.17.0 and have SSO enabled. Assess your Directus deployment immediately.
Upgrade Directus to version 11.17.0 or later. As a temporary workaround, implement a WAF rule to add the COOP header to the SSO login pages.
There is currently no confirmed active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Directus security advisory on their website for detailed information and updates: [https://directus.io/security/](https://directus.io/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.