CVE-2026-35413

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

20 Apr 2026, 16:36

Type	Values Removed	Values Added
CPE		cpe:2.3:a:monospace:directus::::::node.js::*
First Time		Monospace Monospace directus
CWE		NVD-CWE-noinfo
References	~~() https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx -~~	() https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx - Vendor Advisory

06 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 22:16

Updated : 2026-04-20 16:36

NVD link : CVE-2026-35413

Mitre link : CVE-2026-35413

CVE.ORG link : CVE-2026-35413

JSON object : View

Products Affected

monospace

directus

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

5.3 /10