{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39942", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.820Z", "datePublished": "2026-04-09T16:07:54.100Z", "dateUpdated": "2026-04-09T19:37:24.389Z"}, "containers": {"cna": {"title": "Directus has a Path Traversal and Broken Access Control in File Management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"}, {"name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:07:54.100Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-393c-p46r-7c95", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T17:47:33.268680Z", "id": "CVE-2026-39942", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:37:24.389Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39942", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.820Z", "datePublished": "2026-04-09T16:07:54.100Z", "dateUpdated": "2026-04-09T19:37:24.389Z"}, "containers": {"cna": {"title": "Directus has a Path Traversal and Broken Access Control in File Management API", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"}, {"name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:07:54.100Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-393c-p46r-7c95", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39942", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T17:47:33.268680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:47:36.272Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747", "versionEndExcluding": "11.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0."}], "id": "CVE-2026-39942", "lastModified": "2026-04-14T17:36:25.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T17:16:29.813", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-14T19:37:03.739311+00:00", "value": {"mitigation_remediation": ["Update Directus to version 11.17.0 or later to apply the vendor fix.", "Restrict the /files API to users with appropriate permissions and enforce role-based access control.", "Validate and sanitize the filename_disk parameter to eliminate path traversal possibilities.", "Monitor access logs for unexpected file modification attempts and investigate suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized file modification"}, "threat_synthesis": {"affected_systems": "All releases of Directus older than version 11.17.0, including 11.16.x and earlier, are affected. The vulnerability exists in the API and dashboard components that manage file storage. Users and administrators must verify whether their deployed instances belong to this affected range and plan an upgrade accordingly.", "description_and_impact": "Directus exposes a PATCH endpoint that accepts a filename_disk parameter supplied by the client. By setting this value to the storage location of another user\u2019s file, an attacker can overwrite that file\u2019s contents and alter metadata such as uploaded_by. The flaw represents a path traversal and broken access control weakness, allowing arbitrary data tampering and potential forgery of audit records. The underlying weakness is a lack of proper authorization checks and input validation for the filename_disk field.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers likely need API access and sufficient privileges to send a crafted PATCH request to /files/{id}. Authentication is not explicitly stated but it is inferred that an authenticated session is required, as the request targets a protected CRUD endpoint. Successful exploitation would enable overwriting arbitrary files, compromising data integrity and potentially enabling broader system compromise."}}}}, "created": "2026-04-10T08:53:03.946413+00:00", "updated": "2026-04-15T16:00:07.803827+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}