Zero Day MonitorZDM

← Back to list

6.1

CVE-2026-35410EXPLOITEDPATCHED

directus · directus

Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1.

Affected Products

Vendor	Product	Versions
directus	directus	< 11.16.1

References

https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-35410 | Directus up to 11.16.0 isLoginRedirectAllowed incomplete blacklist

→ No new info (linked only)

CVSS 3.16.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

directus@11.16.1

CWECWE-184, CWE-601

PublishedApr 4, 2026

Last enriched4h agov2

Tags

GHSA-cf45-hxwj-4cfjnpm

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-35411EXP

Directus is an Open Redirect in Admin 2FA Setup Page

MEDIUMCVE-2026-35412EXP

Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite

CRITICALCVE-2026-35409

Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

HIGHCVE-2026-35441

Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits

HIGHCVE-2026-35413

Directus GraphQL Schema SDL Disclosure Setting

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 4, 2026

Discovered by ZDM

Apr 4, 2026

Actively Exploited

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: severity, activelyExploited

Apr 6, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v12d ago

Initial creation