Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.
Published: 2026-04-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SSRF protection bypass enabling unintended network access
Action: Patch Immediately
AI Analysis

Impact

The vulnerability involves a Server‑Side Request Forgery (SSRF) protection bypass that allows attackers to use IPv4‑Mapped IPv6 addresses to trick Directus into making requests to local or private networks. Because the IP address validation was compromised, an attacker could cause the system to contact internal resources, potentially expose sensitive data or facilitate further attacks. This weakness is classified as CWE‑918.

Affected Systems

Directus products prior to version 11.16.0 are affected. Users running any Directus instance before 11.16.0 should consider themselves vulnerable.

Risk and Exploitability

The CVSS score is 7.7, indicating a high severity. Although EPSS is not available, the exploit is straightforward once the file‑import endpoint is exposed. The vulnerability is not listed in the CISA KEV catalog, but the high score suggests that attackers could target exposed Directus installations.

Generated by OpenCVE AI on April 7, 2026 at 01:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directus to version 11.16.0 or later
  • Verify your deployment has been updated by checking the version number or running a version query
  • Test the file import functionality to ensure the SSRF protection is effective
  • Monitor logs for any unexpected internal requests after the upgrade

Generated by OpenCVE AI on April 7, 2026 at 01:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wv3h-5fx7-966h Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
History

Mon, 20 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.
Title Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:05:02.971Z

Reserved: 2026-04-02T17:03:42.075Z

Link: CVE-2026-35409

cve-icon Vulnrichment

Updated: 2026-04-08T14:04:34.532Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:21.930

Modified: 2026-04-20T16:47:30.363

Link: CVE-2026-35409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:50Z

Weaknesses