CVE-2026-35408

HIGH

Directus is Missing Cross-Origin Opener Policy

Title source: cna

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0.

References (1)

[X_Refsource_Confirm] https://github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99

Scores

CVSS v3 8.7

EPSS 0.0001

EPSS Percentile 0.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-346 CWE-693

Status published

Products (3)

directus/directus < 11.17.0

monospace/directus < 11.17.0

npm/directus 0 - 11.17.0npm

Published Apr 06, 2026

Tracked Since Apr 07, 2026