CVE-2026-35442
HIGHDirectus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Title source: cnaDescription
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc
Scores
CVSS v3
8.1
EPSS
0.0034
EPSS Percentile
25.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
CWE-863
Status
published
Products (3)
directus/directus
< 11.17.0
monospace/directus
< 11.17.0
npm/directus
0 - 11.17.0npm
Published
Apr 06, 2026
Tracked Since
Apr 07, 2026