CVE-2026-35411 Overview
CVE-2026-35411 is an open redirect vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. Prior to version 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation.
Critical Impact
This vulnerability enables phishing attacks targeting Directus administrators by exploiting trust in the legitimate domain. Attackers can craft malicious URLs that redirect administrators to credential harvesting pages after completing authentic 2FA setup flows.
Affected Products
- Directus versions prior to 11.16.1
- Directus installations with unconfigured administrator 2FA
- Self-hosted Directus deployments with exposed admin interfaces
Discovery Timeline
- April 6, 2026 - CVE CVE-2026-35411 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35411
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as "Open Redirect"). The flaw exists in how Directus handles the redirect query parameter during the Two-Factor Authentication setup process at the /admin/tfa-setup endpoint. The application fails to validate or sanitize the redirect URL, allowing attackers to specify arbitrary external destinations.
The attack specifically targets administrators who have not yet configured 2FA, making it a targeted phishing vector. Since the initial interaction occurs entirely on the legitimate Directus domain, victims are more likely to trust the experience and proceed through the malicious redirect after completing the authentic 2FA enrollment.
Root Cause
The root cause of this vulnerability is insufficient input validation on the redirect query parameter within the 2FA setup workflow. The application accepts and processes arbitrary URLs without verifying that the destination belongs to a trusted domain or matches an allowlist of permitted redirect targets. This lack of URL validation before performing the redirect enables attackers to chain legitimate authentication flows with malicious external destinations.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a malicious URL targeting the /admin/tfa-setup endpoint with a redirect parameter pointing to an attacker-controlled domain. The attack flow proceeds as follows:
- Attacker identifies a Directus administrator who has not configured 2FA
- Attacker sends a phishing email or message containing the crafted URL (e.g., https://trusted-directus.example.com/admin/tfa-setup?redirect=https://malicious-site.com/fake-login)
- Administrator clicks the link and is presented with the legitimate Directus 2FA setup page
- Administrator completes the authentic 2FA enrollment process
- Upon completion, Directus redirects the administrator to the attacker-controlled URL
- The attacker's site may present a fake login page to harvest credentials
The vulnerability is particularly effective because the entire 2FA setup experience is legitimate, building trust before the malicious redirect occurs. For technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35411
Indicators of Compromise
- HTTP requests to /admin/tfa-setup containing redirect parameters with external domains
- Outbound redirects from Directus servers to untrusted or suspicious external URLs
- User reports of unexpected redirects after completing 2FA setup
- Web server logs showing 302/303 redirect responses to external domains from the 2FA setup endpoint
Detection Strategies
- Monitor web application logs for requests to /admin/tfa-setup with redirect parameters containing external URLs
- Implement web application firewall (WAF) rules to flag or block requests with external redirect parameters
- Review access logs for patterns of administrator accounts accessing 2FA setup pages from unusual referrers
- Deploy URL inspection tools to identify open redirect attempts in real-time
Monitoring Recommendations
- Enable detailed logging for the Directus admin interface, particularly authentication-related endpoints
- Configure alerting for HTTP redirects to domains outside the organization's trusted list
- Implement user and entity behavior analytics (UEBA) to detect unusual administrator authentication patterns
- Regularly audit administrator accounts for signs of compromise following 2FA enrollment events
How to Mitigate CVE-2026-35411
Immediate Actions Required
- Upgrade Directus to version 11.16.1 or later immediately
- Review administrator accounts for any that have not completed 2FA setup and ensure they configure it through verified internal channels
- Educate administrators about phishing risks and instruct them to access the 2FA setup page directly rather than through email links
- Temporarily restrict external access to the Directus admin interface if upgrade is not immediately possible
Patch Information
This vulnerability is fixed in Directus version 11.16.1. Organizations should upgrade to this version or later as soon as possible. The patch implements proper validation of the redirect parameter to prevent redirection to untrusted external URLs. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF rule to strip or validate the redirect parameter on requests to /admin/tfa-setup
- Restrict access to the Directus admin interface to trusted internal networks or VPN-only access
- Implement Content Security Policy (CSP) headers with strict form-action directives to limit redirect destinations
- Configure network-level blocking of known malicious domains to mitigate post-redirect exploitation
# Example nginx configuration to block external redirects on tfa-setup
# Add to your Directus nginx server block
location /admin/tfa-setup {
# Strip redirect parameter with external URLs
if ($arg_redirect ~* "^https?://(?!your-trusted-domain\.com)") {
return 403;
}
proxy_pass http://directus_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
