{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35442", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-06T21:36:57.807Z", "dateUpdated": "2026-04-07T13:30:12.880Z"}, "containers": {"cna": {"title": "Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:36:57.807Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-38hg-ww64-rrwc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:30:05.012618Z", "id": "CVE-2026-35442", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:30:12.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries", "source": {"advisory": "GHSA-38hg-ww64-rrwc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 11.17.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc", "name": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:36:57.807Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35442", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T13:30:05.012618Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T13:30:08.487Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35442", "state": "PUBLISHED", "dateUpdated": "2026-04-06T21:36:57.807Z", "dateReserved": "2026-04-02T19:25:52.192Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:36:57.807Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747", "versionEndExcluding": "11.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0."}], "id": "CVE-2026-35442", "lastModified": "2026-04-20T16:32:37.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:22.853", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-07T01:56:56.638582+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version 11.17.0 or later.", "Verify that all concealed fields no longer expose raw values through aggregate queries.", "Review any previously exposed tokens or 2FA secrets and rotate them as necessary."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Breach"}, "threat_synthesis": {"affected_systems": "All installations of Directus running any version prior to 11.17.0 are affected, including the 11.x series up to 11.16.9. The issue is specific to the directus:directus product listed by the CNA and impacts collections where fields are marked as concealed.", "description_and_impact": "Directus, an API and dashboard platform, had a flaw in aggregate functions where fields designated as concealed returned their raw database values instead of a masked placeholder. This allowed any user with read access to a collection to use min or max functions combined with groupBy to retrieve sensitive data such as API tokens and two\u2011factor authentication secrets stored in concealed fields. The vulnerability results in direct disclosure of confidential information, matching CWE\u2011200 and CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this as high severity. Although EPSS data is not available and it is not listed in the KEV catalog, the flaw requires only authenticated read access, which many users already possess. Therefore, the risk of exploitation remains significant, especially for organizations with broad read permissions on sensitive collections."}}}}, "created": "2026-04-07T06:53:45.127821+00:00", "updated": "2026-04-07T09:36:43.208753+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}