CVE-2026-39943
MEDIUMDirectus exposes sensitive fields in revision history
Title source: cnaDescription
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
X_Refsource_Misc x_refsource_misc
https://github.com/directus/directus/releases/tag/v11.17.0
Scores
CVSS v3
6.5
EPSS
0.0017
EPSS Percentile
6.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-312
Status
published
Products (3)
directus/directus
< 11.17.0
monospace/directus
< 11.17.0
npm/directus
0 - 11.17.0npm
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026