CVE-2026-35442 Overview
CVE-2026-35442 is an information disclosure vulnerability in Directus, a real-time API and App dashboard for managing SQL database content. Prior to version 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from the directus_users table.
Critical Impact
Authenticated users can bypass field concealment protections to extract sensitive data including API tokens and 2FA secrets, potentially leading to account takeover and unauthorized API access.
Affected Products
- Directus versions prior to 11.17.0
- Directus API and App dashboard deployments with concealed fields
- Systems storing sensitive data (API tokens, 2FA secrets) in concealed fields
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35442 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35442
Vulnerability Analysis
This vulnerability stems from improper handling of the conceal special type when processing aggregate functions within the Directus API. The conceal field type is designed to mask sensitive data by returning a placeholder value instead of the actual database content. However, the aggregate functions min and max bypass this protection mechanism, directly returning raw database values.
The flaw is particularly dangerous when combined with the groupBy parameter. An attacker with authenticated read access to a collection containing concealed fields can craft API requests using aggregate functions to systematically extract sensitive information. The directus_users collection is especially vulnerable as it typically contains static API tokens and two-factor authentication secrets stored in concealed fields.
Root Cause
The root cause is an incomplete implementation of field concealment logic within the aggregate function processing pipeline. While direct field access properly applies the conceal mask, the aggregate function handlers (min, max) fail to check the field's special type before returning results. This creates an authorization bypass where the data access control mechanism is circumvented through an alternative query method.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the Directus instance. An attacker needs only read permissions on a collection containing concealed fields to exploit this vulnerability. The exploitation does not require user interaction and can be performed programmatically.
The attacker constructs API requests targeting the aggregate endpoint with min or max functions on concealed fields. By using groupBy parameters strategically, the attacker can correlate extracted values with specific user records, enabling targeted extraction of API tokens or 2FA secrets from the directus_users collection.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as it allows authenticated users to access data that should be masked by the concealment mechanism.
Detection Methods for CVE-2026-35442
Indicators of Compromise
- Unusual API requests containing aggregate functions (min, max) targeting collections with concealed fields
- High volume of aggregate queries against the directus_users collection
- API requests combining aggregate functions with groupBy parameters on sensitive tables
- Unexpected access patterns to concealed field data in application logs
Detection Strategies
- Monitor Directus API logs for aggregate function calls on concealed field types
- Implement alerting for unusual query patterns targeting user-related collections
- Review access logs for authenticated users querying sensitive fields with aggregate functions
- Deploy application-layer monitoring to detect data exfiltration attempts through API abuse
Monitoring Recommendations
- Enable verbose logging for all aggregate API endpoints in Directus
- Configure SIEM rules to correlate aggregate queries with concealed field access
- Implement rate limiting on aggregate endpoints to slow potential exploitation
- Audit read permissions on collections containing sensitive concealed data
How to Mitigate CVE-2026-35442
Immediate Actions Required
- Upgrade Directus to version 11.17.0 or later immediately
- Review and restrict read permissions on collections containing concealed sensitive data
- Audit API access logs for potential prior exploitation attempts
- Rotate any API tokens and 2FA secrets that may have been exposed
Patch Information
The vulnerability is fixed in Directus version 11.17.0. Organizations should update their Directus installations to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Restrict read access permissions on collections containing concealed fields to only essential users
- Temporarily disable aggregate function capabilities at the API gateway level if possible
- Move highly sensitive data (API tokens, 2FA secrets) to separate secured storage outside Directus
- Implement network-level access controls to limit who can reach the Directus API
- Monitor and alert on aggregate queries targeting sensitive collections until patch is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
