Platform
nodejs
Component
directus
Fixed in
11.16.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Directus, a real-time API and App dashboard for managing SQL database content. This flaw allows attackers to bypass IP address validation, potentially accessing internal network resources. The vulnerability affects versions 0.0.0 through 11.15.0 and is resolved in version 11.16.0.
The SSRF vulnerability in Directus arises from a flawed IP address validation mechanism. Attackers can circumvent this protection by crafting requests using IPv4-Mapped IPv6 addresses. This allows them to initiate requests to internal services and resources that should be inaccessible from the outside. Successful exploitation could lead to unauthorized access to sensitive data, internal systems, or even the execution of commands on vulnerable servers, depending on the services exposed internally. The blast radius extends to any internal resource reachable via HTTP/HTTPS from the Directus instance.
This vulnerability was publicly disclosed on 2026-04-06. While no public proof-of-concept (PoC) has been released at the time of writing, the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The vulnerability's ease of exploitation, combined with Directus's popularity, suggests a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35409 is to upgrade Directus to version 11.16.0 or later, which includes the fix for the IP address validation bypass. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing IPv4-Mapped IPv6 addresses. Additionally, restrict network access to the Directus instance to only necessary IP addresses and ports. Regularly review and update firewall rules to minimize the attack surface. After upgrading, confirm the fix by attempting to access an internal resource via an IPv4-Mapped IPv6 address; the request should be blocked.
Update Directus to version 11.16.0 or higher to mitigate the Server-Side Request Forgery (SSRF) vulnerability. This update corrects the way IP addresses are validated, preventing IPv4-Mapped IPv6 addresses from being used to bypass protections and access internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35409 is a Server-Side Request Forgery (SSRF) vulnerability in Directus versions 0.0.0 through 11.15.0, allowing attackers to bypass IP address validation and potentially access internal resources.
You are affected if you are running Directus versions 0.0.0 through 11.15.0. Upgrade to version 11.16.0 or later to resolve the vulnerability.
Upgrade Directus to version 11.16.0 or later. As a temporary workaround, implement a WAF rule to block requests containing IPv4-Mapped IPv6 addresses.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation, and a PoC may emerge.
Refer to the Directus security advisory for CVE-2026-35409 on the Directus website (directus.io/security).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.