CVE-2026-39943

MEDIUM

Directus exposes sensitive fields in revision history

Title source: cna

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.

References (2)

[X_Refsource_Confirm] https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j

[X_Refsource_Misc] https://github.com/directus/directus/releases/tag/v11.17.0

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200 CWE-312

Status published

Products (3)

directus/directus < 11.17.0

monospace/directus < 11.17.0

npm/directus 0 - 11.17.0npm

Published Apr 09, 2026

Tracked Since Apr 09, 2026