CVE-2026-35442：Directus 信息泄露漏洞，高危！

Directus 中的 CVE-2026-35442 允许具有集合读取访问权限的经过身份验证的用户提取隐藏字段值，包括来自 directus_users 的静态 API 令牌和双因素身份验证机密。这是由于在应用于具有特殊 conceal 类型的字段的聚合函数（min、max）的处理中的错误造成的。相反于返回掩码占位符，会返回原始数据库值。将此漏洞与 groupBy 结合使用，可以轻松提取敏感信息。

Organizations using Directus for content management and data storage are at risk, particularly those relying on concealed fields to protect sensitive information like API tokens and two-factor authentication secrets. Shared hosting environments where multiple Directus instances share the same database are also at increased risk, as a vulnerability in one instance could potentially expose data from others.

• nodejs / server: Monitor Directus logs for unusual query patterns involving aggregate functions on concealed fields. Look for queries that attempt to extract data from the directus_users table.

grep -i 'conceal|groupBy' /var/log/directus/directus.log

• generic web: Inspect Directus API endpoints for unexpected responses containing raw data instead of masked placeholders when querying concealed fields. Use curl to test API endpoints and examine the response body.

curl -X GET 'http://directus-instance/api/items/directus_users?fields[0]=api_token' | jq '.data[] | .api_token'

1. 2026-04-04Disclosure

   disclosure

1. 已保留2026-04-02
2. 发布日期2026-04-04
3. 修改日期2026-04-07
4. EPSS 更新日期2026-04-14

此漏洞的解决方案是将 Directus 更新到版本 11.17.0 或更高版本。此版本更正了 conceal 字段的聚合函数处理中的错误，确保返回掩码占位符而不是实际值。建议尽快应用此更新以保护存储在 Directus 中的敏感数据。此外，请查看集合访问权限，以将读取访问权限限制为真正需要的用户。