Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.
Published: 2026-01-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect via SAML callback
Action: Patch
AI Analysis

Impact

Directus enables the use of SAML authentication where the RelayState parameter is meant to return users to their original destination after login. Prior to version 11.14.0 the callback endpoint for SAML does not enforce that RelayState points only to allowed domains. This omission allows an attacker to manipulate the parameter so that, after an authentication attempt, the user is redirected to any external URL. The flaw is a classic open‑redirect weakness (CWE‑601). Should a user click a malicious link in an email or on a website that points to the compromised Directus instance, they could be steered to phishing sites or other malicious content, undermining user trust and potentially enabling credential theft or session hijacking. The vulnerability can be exercised without needing to log in first; any recipient of a crafted authentication request can send a user to an arbitrary destination. The attacker’s capability is limited to redirecting a legitimate user but not to modifying data or gaining direct access to the Directus system.

Affected Systems

The affected product is Directus, an open‑source database content management API and dashboard. Versions of Directus prior to 11.14.0 contain the flaw, and the issue is present in both the success and error paths of the SAML callback endpoint.

Risk and Exploitability

The CVSS score is 4.3, reflecting a moderate impact. The EPSS score is less than 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted SAML authentication request that exploits the open redirect exactly when the callback is processed; an attacker does not need to authenticate to the Directus instance to trigger the flaw. While the risk is not high, the possibility of using the redirect in a phishing or social engineering attack warrants attention.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directus to version 11.14.0 or newer, which includes the patch for the callback validation issue.
  • If an upgrade cannot be performed immediately, configure Directus to validate the RelayState value against a whitelist of allowed redirect domains before executing the redirect in the SAML callback.
  • Monitor authentication and redirect logs for unusual or unexpected SAML callback traffic, especially from unknown or untrusted origins.

Generated by OpenCVE AI on April 18, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3573-4c68-g8cc Directus has open redirect in SAML
History

Tue, 20 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Thu, 08 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.
Title Directus has open redirect in SAML
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T14:53:09.871Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22032

cve-icon Vulnrichment

Updated: 2026-01-15T14:53:05.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T15:15:45.000

Modified: 2026-01-20T18:15:40.300

Link: CVE-2026-22032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses