Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0.
Published: 2026-04-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (resource exhaustion)
Action: Apply Patch
AI Analysis

Impact

Directus GraphQL alias amplification allows an authenticated user to repeat costly relational queries many times in a single request. By exploiting aliasing, the server executes a linear number of independent complex database queries, multiplying CPU, memory and I/O load. The result is a denial of service that can degrade or crash the service only through resource exhaustion. This weakness is classified as Unbounded Input and Memory Allocation.

Affected Systems

The vulnerability affects Directus installations running any version prior to 11.17.0. Users of Directus product by the Directus vendor are impacted. The issue exists within the GraphQL endpoints (/graphql and /graphql/system).

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly known exploit yet. Attackers need only authenticated access, even with minimal read‑only permissions, to trigger the denial of service by sending a crafted GraphQL request with a large number of aliases. The lack of rate limiting and token limit insufficiency make exploitation straightforward under these conditions.

Generated by OpenCVE AI on April 7, 2026 at 01:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Directus to version 11.17.0 or later
  • If immediate update is not feasible, restrict user roles to limit excessive alias use
  • Enable GraphQL query rate limiting or token limits in the configuration
  • Deploy monitoring to detect abnormal query patterns and harden resource limits

Generated by OpenCVE AI on April 7, 2026 at 01:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ph52-67fq-75wj Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits
History

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiting is disabled by default, meaning no built-in throttle prevented this from causing CPU, memory, and I/O exhaustion that could degrade or crash the service. Any authenticated user, including those with minimal read-only permissions, could trigger this condition. This vulnerability is fixed in 11.17.0.
Title Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:08:57.877Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35441

cve-icon Vulnrichment

Updated: 2026-04-07T14:47:12.159Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:22.697

Modified: 2026-04-20T16:34:49.850

Link: CVE-2026-35441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:44Z

Weaknesses