Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.
Published: 2026-04-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Phishing via Open Redirect
Action: Patch
AI Analysis

Impact

Directus is a real‑time API and application dashboard used to manage SQL database content. A vulnerability exists in versions prior to 11.16.1 where the /admin/tfa-setup page accepts a redirect query parameter without validation. When an administrator who has not yet set up Two‑Factor Authentication visits a crafted URL, the site leads them through the legitimate 2FA setup flow and then redirects them to the attacker‑controlled URL. Although the flaw does not provide direct code execution or system compromise, it can be exploited to deliver phishing content or credential‑harvesting pages that appear to come from a trusted Directus domain.

Affected Systems

All Directus installations running a version earlier than 11.16.1 are affected whenever Two‑Factor Authentication has not yet been configured for the administrator’s account. The vulnerability is confined to the admin/tfa-setup route and is independent of underlying infrastructure such as the operating system or database server.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, but the exploitability is high because an attacker only needs to generate a malicious URL and supply it to an administrator. The attack vector is remote over standard HTTP or HTTPS, and no local access or additional privileges are required. With no EPSS score available and the issue not listed in CISA’s KEV catalog, the opportunity for exploitation is still present due to the ease of crafting the redirect and the potential for credential theft from users who follow the forged link.

Generated by OpenCVE AI on April 7, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directus to version 11.16.1 or later to remove the open redirect flaw on the /admin/tfa-setup page
  • Verify that after the upgrade the redirect parameter is no longer accepted on the 2FA setup page
  • Enforce completion of Two‑Factor Authentication before allowing administrators to access the admin interface
  • Consider implementing a web application firewall rule to block requests containing the redirect query parameter on the 2FA setup page
  • Educate administrators about the danger of clicking unknown links after completing authentication steps

Generated by OpenCVE AI on April 7, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q75c-4gmv-mg9x Directus: Open Redirect in Admin 2FA Setup Page
History

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.
Title Directus is an Open Redirect in Admin 2FA Setup Page
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:37:57.212Z

Reserved: 2026-04-02T17:03:42.075Z

Link: CVE-2026-35411

cve-icon Vulnrichment

Updated: 2026-04-07T13:37:00.889Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:22.243

Modified: 2026-04-20T16:43:32.290

Link: CVE-2026-35411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:47Z

Weaknesses