{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35411", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.075Z", "datePublished": "2026-04-06T21:33:06.664Z", "dateUpdated": "2026-04-06T21:33:06.664Z"}, "containers": {"cna": {"title": "Directus is an Open Redirect in Admin 2FA Setup Page", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:33:06.664Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1."}], "source": {"advisory": "GHSA-q75c-4gmv-mg9x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1."}], "id": "CVE-2026-35411", "lastModified": "2026-04-06T22:16:22.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:22.243", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.16.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-07T02:27:15.370147+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version 11.16.1 or later to remove the open redirect flaw on the /admin/tfa-setup page", "Verify that after the upgrade the redirect parameter is no longer accepted on the 2FA setup page", "Enforce completion of Two\u2011Factor Authentication before allowing administrators to access the admin interface", "Consider implementing a web application firewall rule to block requests containing the redirect query parameter on the 2FA setup page", "Educate administrators about the danger of clicking unknown links after completing authentication steps"], "summary": {"action": "Patch", "impact": "Phishing via Open Redirect"}, "threat_synthesis": {"affected_systems": "All Directus installations running a version earlier than 11.16.1 are affected whenever Two\u2011Factor Authentication has not yet been configured for the administrator\u2019s account. The vulnerability is confined to the admin/tfa-setup route and is independent of underlying infrastructure such as the operating system or database server.", "description_and_impact": "Directus is a real\u2011time API and application dashboard used to manage SQL database content. A vulnerability exists in versions prior to 11.16.1 where the /admin/tfa-setup page accepts a redirect query parameter without validation. When an administrator who has not yet set up Two\u2011Factor Authentication visits a crafted URL, the site leads them through the legitimate 2FA setup flow and then redirects them to the attacker\u2011controlled URL. Although the flaw does not provide direct code execution or system compromise, it can be exploited to deliver phishing content or credential\u2011harvesting pages that appear to come from a trusted Directus domain.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low severity, but the exploitability is high because an attacker only needs to generate a malicious URL and supply it to an administrator. The attack vector is remote over standard HTTP or HTTPS, and no local access or additional privileges are required. With no EPSS score available and the issue not listed in CISA\u2019s KEV catalog, the opportunity for exploitation is still present due to the ease of crafting the redirect and the potential for credential theft from users who follow the forged link."}}}}, "created": "2026-04-07T06:53:48.929137+00:00", "updated": "2026-04-07T09:36:47.232027+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}