{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35410", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.075Z", "datePublished": "2026-04-06T21:32:13.985Z", "dateUpdated": "2026-04-06T21:32:13.985Z"}, "containers": {"cna": {"title": "Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:32:13.985Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1."}], "source": {"advisory": "GHSA-cf45-hxwj-4cfj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1."}], "id": "CVE-2026-35410", "lastModified": "2026-04-06T22:16:22.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:22.097", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.16.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-07T01:59:02.824840+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version 11.16.1 or later.", "If upgrading is not immediately possible, restrict authentication redirect URLs to trusted domains and validate them before redirecting.", "Monitor authentication logs for unexpected redirect destinations and block suspicious activity."], "summary": {"action": "Patch", "impact": "Open redirect during authentication"}, "threat_synthesis": {"affected_systems": "Affected systems are Directus installations running any version prior to 11.16.1. The vulnerability is present in the directus:directus product and was fixed in Directus 11.16.1. Users of earlier releases should evaluate their environment and prepare an upgrade.", "description_and_impact": "The vulnerability arises from the login redirect logic in Directus before version 11.16.1. The isLoginRedirectAllowed function fails to correctly detect malformed URLs as external. This allows attackers to bypass the redirect allow-list and send users to arbitrary external domains after authentication. The primary impact is that authenticated users can be redirected to malicious sites, enabling phishing and credential harvesting.", "risk_and_exploitability": "Risk assessment: The CVSS score is 6.1, indicating moderate severity. EPSS is not provided, and the vulnerability is not listed in CISA KEV. The attack vector is likely remote and requires an attacker to supply a crafted redirect parameter during the OAuth2/SAML authentication flow. Because the exploit is straightforward once the login flow is accessed, the potential for malicious redirection is significant, especially in environments where users trust the application for authentication. Therefore, the risk is moderate but still warrants prompt remediation."}}}}, "created": "2026-04-07T06:53:49.893555+00:00", "updated": "2026-04-07T09:36:48.185894+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}