CVE-2021-26594

HIGH

Rangerstudio Directus < 8.8.1 - Improper Privilege Management

Title source: rule

Description

In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/sgranel/directusv8

View Exploit ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0031

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-269

Status published

Products (1)

rangerstudio/directus 8.0.0 - 8.8.1

Published Feb 23, 2021

Tracked Since Feb 18, 2026