Description
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration
Action: Patch
AI Analysis

Impact

Directus versions prior to 11.14.1 contain a timing-based flaw in the password reset endpoint. When an invalid reset_url parameter is sent, the server’s response time differs by about 500 milliseconds depending on whether the supplied email address or username exists. This measurable delay allows an attacker to determine the existence of user accounts, constituting a user enumeration vulnerability. The flaw is categorized as CWE‑203, Information Exposure Through Timing Channels.

Affected Systems

All deployments of Directus older than version 11.14.1, accessed via the Directus API or the Directus web application, are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity for confidentiality. The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. An attacker can exploit the flaw remotely by submitting crafted password reset requests to the publicly exposed HTTP endpoint, requiring only knowledge of plausible email addresses or usernames to test.

Generated by OpenCVE AI on April 18, 2026 at 12:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directus to version 11.14.1 or later to apply the fix that normalizes response times.
  • If upgrade is delayed, restrict access to the password reset endpoint or apply rate‑limiting to render timing measurements ineffective.
  • Monitor incoming reset requests for anomalous timing patterns or unusually rapid sequences that may indicate ongoing enumeration attempts.

Generated by OpenCVE AI on April 18, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jr94-gj3h-c8rf Directus Vulnerable to User Enumeration via Password Reset Timing Attack
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Fri, 13 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
Title Directus Affected by User Enumeration via Password Reset Timing Attack
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T15:59:06.336Z

Reserved: 2026-02-11T19:56:24.811Z

Link: CVE-2026-26185

cve-icon Vulnrichment

Updated: 2026-02-13T15:59:02.692Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T22:16:07.100

Modified: 2026-02-20T21:09:03.123

Link: CVE-2026-26185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses