CVE-2026-35409 Overview
Directus, a real-time API and App dashboard for managing SQL database content, contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in versions prior to 11.16.0. The IP address validation mechanism designed to block requests to local and private networks can be circumvented using IPv4-Mapped IPv6 address notation, potentially allowing attackers to access internal resources that should be protected.
Critical Impact
Authenticated attackers can bypass SSRF protections to access internal network resources, potentially leading to unauthorized data access, internal service enumeration, and further exploitation of backend systems.
Affected Products
- Directus versions prior to 11.16.0
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35409 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35409
Vulnerability Analysis
This vulnerability (CWE-918: Server-Side Request Forgery) exists due to insufficient validation of IP addresses in Directus's SSRF protection mechanism. When Directus processes user-controlled URLs for server-side requests, it validates the target IP address to prevent requests to internal or private network ranges. However, the validation logic fails to properly account for IPv4-Mapped IPv6 addresses.
IPv4-Mapped IPv6 addresses use the format ::ffff:x.x.x.x to represent IPv4 addresses within the IPv6 address space. For example, the localhost address 127.0.0.1 can be represented as ::ffff:127.0.0.1 or ::ffff:7f00:0001. The vulnerable validation code likely checks for standard IPv4 private ranges (e.g., 127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16) but fails to recognize these same addresses when expressed in IPv4-mapped IPv6 notation.
Root Cause
The root cause lies in incomplete IP address normalization before validation. The SSRF protection mechanism validates against known private and local IP ranges but does not normalize IPv6 representations to their IPv4 equivalents before performing the check. This allows attackers to express blocked IPv4 addresses in IPv6 format, bypassing the blacklist validation entirely.
Attack Vector
An authenticated attacker with low privileges can exploit this vulnerability by crafting requests containing IPv4-Mapped IPv6 addresses targeting internal network resources. The attack is network-accessible and requires no user interaction. Since the attack bypasses SSRF protections, the attacker can:
- Access internal services that are not directly exposed to the internet
- Retrieve sensitive data from internal APIs or databases
- Scan internal network infrastructure
- Potentially pivot to other internal systems using the Directus server as a proxy
For example, instead of requesting http://127.0.0.1:8080/admin, which would be blocked, an attacker could request http://[::ffff:127.0.0.1]:8080/admin to bypass the validation. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35409
Indicators of Compromise
- Unusual outbound requests from Directus servers to internal IP ranges using IPv6 notation
- Web server logs containing URL patterns with ::ffff: prefixes targeting internal addresses
- Unexpected data access patterns from the Directus application to internal services
- Network traffic from Directus to internal services that normally would not be accessed
Detection Strategies
- Implement network monitoring rules to detect IPv4-Mapped IPv6 address patterns in outbound requests from Directus servers
- Review Directus application logs for requests containing ::ffff: or other IPv6 representations of internal addresses
- Monitor for unusual internal network connections originating from Directus application servers
- Deploy Web Application Firewall (WAF) rules to detect SSRF bypass attempts using IPv6 notation
Monitoring Recommendations
- Enable detailed logging for all URL-based operations in Directus
- Set up alerts for connections from Directus to internal network ranges via any protocol
- Monitor DNS queries from Directus servers for internal hostname resolution patterns
- Implement network segmentation monitoring to detect lateral movement attempts
How to Mitigate CVE-2026-35409
Immediate Actions Required
- Upgrade Directus to version 11.16.0 or later immediately
- Review Directus access logs for potential exploitation attempts using IPv6 address patterns
- Implement network-level controls to restrict Directus server outbound connections to internal resources
- Temporarily disable any features that allow user-controlled URL fetching until patched
Patch Information
The vulnerability is fixed in Directus version 11.16.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch addresses the IP address validation bypass by properly normalizing IPv4-Mapped IPv6 addresses before validation. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement network segmentation to prevent the Directus server from accessing sensitive internal services
- Deploy a reverse proxy or WAF with IPv6 address normalization capabilities to filter malicious requests
- Restrict outbound network access from Directus servers using firewall rules at the network level
- Consider using an allowlist-based approach for external URL fetching instead of a blocklist
# Example: Network firewall rule to restrict Directus server outbound access
# Block outbound connections to internal ranges (adjust for your network)
iptables -A OUTPUT -s <directus-server-ip> -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -s <directus-server-ip> -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s <directus-server-ip> -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s <directus-server-ip> -d 192.168.0.0/16 -j DROP
# Block IPv6 loopback and link-local
ip6tables -A OUTPUT -s <directus-server-ip6> -d ::1/128 -j DROP
ip6tables -A OUTPUT -s <directus-server-ip6> -d fe80::/10 -j DROP
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
