CVE-2026-35410 Overview
CVE-2026-35410 is an open redirect vulnerability discovered in Directus, a real-time API and App dashboard for managing SQL database content. Prior to version 11.16.1, the isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.
Open redirect vulnerabilities are particularly dangerous in authentication flows because they can be weaponized for credential phishing attacks. An attacker can craft a legitimate-looking login URL that, upon successful authentication, redirects the victim to a malicious site designed to capture additional credentials or deliver malware.
Critical Impact
Attackers can exploit this vulnerability to redirect authenticated users to malicious external domains, enabling credential phishing and session hijacking attacks.
Affected Products
- Directus versions prior to 11.16.1
- Directus API and App dashboard installations with default login redirection enabled
- Self-hosted and cloud-hosted Directus deployments
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35410 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35410
Vulnerability Analysis
This open redirect vulnerability (CWE-184: Incomplete List of Disallowed Inputs) exists in the login redirection logic of Directus. The root issue stems from the isLoginRedirectAllowed function's inability to properly parse and validate malformed URLs that appear internal but actually resolve to external domains.
When a user authenticates through Directus, the application checks if the redirect URL is allowed based on a configured allow-list. However, by crafting specially formatted URLs that exploit parsing inconsistencies, an attacker can bypass this validation entirely. The vulnerability requires user interaction—the victim must click on a malicious link and complete the authentication process.
The scope extends beyond the vulnerable application itself, as successful exploitation redirects users to attacker-controlled external domains, potentially exposing them to secondary attacks.
Root Cause
The vulnerability originates from incomplete input validation in the isLoginRedirectAllowed function. This function is responsible for determining whether a redirect URL should be permitted after successful authentication. The function fails to account for edge cases involving malformed URLs that URL parsers may interpret differently than intended.
Specifically, certain URL formats can bypass the allow-list check because the validation logic does not properly handle all possible URL representations. This is a classic example of CWE-184 (Incomplete List of Disallowed Inputs), where the security mechanism fails to anticipate all malicious input patterns.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability through the following scenario:
- The attacker crafts a malicious URL containing the Directus login endpoint with a manipulated redirect parameter
- The malformed redirect URL is designed to bypass the isLoginRedirectAllowed validation function
- The attacker distributes this link via phishing emails, social engineering, or embedded in other websites
- When a victim clicks the link and successfully authenticates to Directus, they are redirected to the attacker-controlled external domain
- The attacker's site can then harvest credentials, deploy malware, or conduct further social engineering attacks
The vulnerability is particularly effective because the initial login page is legitimate, building trust with the victim before the malicious redirect occurs. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35410
Indicators of Compromise
- Unusual redirect URLs in Directus authentication logs containing malformed or obfuscated domain patterns
- User complaints about being redirected to unexpected external sites after login
- Authentication events followed immediately by requests to external domains
- Login URLs containing suspicious redirect parameters with URL encoding anomalies
Detection Strategies
- Review web server access logs for login requests with redirect parameters containing unusual URL patterns such as backslashes, mixed protocols, or URL-encoded characters
- Implement Content Security Policy (CSP) headers to restrict navigation targets and alert on violations
- Monitor authentication flow logs for redirects to domains outside the expected allow-list
- Deploy web application firewall (WAF) rules to detect and block malformed redirect parameters
Monitoring Recommendations
- Enable detailed logging for the Directus authentication module to capture all redirect parameter values
- Configure alerting for any login redirects that resolve to external domains
- Implement real-time monitoring for user sessions that terminate immediately after authentication with external navigation
- Audit the redirect allow-list configuration periodically to ensure it reflects only legitimate internal destinations
How to Mitigate CVE-2026-35410
Immediate Actions Required
- Upgrade Directus to version 11.16.1 or later immediately
- Review recent authentication logs for evidence of exploitation attempts
- Notify users about potential phishing attempts that may leverage this vulnerability
- Temporarily disable or restrict login redirect functionality if immediate patching is not possible
Patch Information
The vulnerability is fixed in Directus version 11.16.1. Organizations should prioritize upgrading to this version or later to remediate the vulnerability. The fix addresses the URL parsing logic in the isLoginRedirectAllowed function to properly identify and reject malformed external URLs.
For complete details on the security fix, see the GitHub Security Advisory.
Workarounds
- Implement a strict Content Security Policy (CSP) with form-action and navigate-to directives to limit redirect destinations
- Configure a web application firewall (WAF) to inspect and block requests with suspicious redirect parameters
- Disable the redirect after login feature entirely if not required for business operations
- Implement server-side redirect validation with an explicit allow-list of fully qualified internal URLs
# Example: Restricting Directus redirects via environment configuration
# Add to your Directus environment file
# Disable redirect functionality as a temporary workaround
PUBLIC_URL="https://your-directus-instance.com"
# Configure strict CORS and redirect policies
CORS_ENABLED=true
CORS_ORIGIN="https://your-directus-instance.com"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
