Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Published: 2026-04-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows sensitive data such as user tokens, TOTP secrets, external auth identifiers, stored credentials, and AI provider API keys to be stored in plaintext within revision history records. This was due to the revision snapshot logic sometimes bypassing the sanitization pipeline, resulting in disclosure of confidential information. The weakness corresponds to CWE-200 (Information Exposure) and CWE-312 (Cleartext Storage of Sensitive Information).

Affected Systems

Directus, versions before 11.17.0, where revision history records were not properly sanitized. The issue resolves in Directus 11.17.0 and later.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability carries a medium‑high impact. The EPSS score is below 1%, indicating a low likelihood of exploitation, and the problem is not listed in CISA's KEV catalog. The likely attack vector is through normal use of the API to create or update items that trigger revisions. An attacker with access to revision data—such as an insider or a compromised user—could obtain plaintext tokens and secrets.

Generated by OpenCVE AI on April 14, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Directus to version 11.17.0 or later

Generated by OpenCVE AI on April 14, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mvv8-v4jj-g47j Directus: Sensitive fields exposed in revision history
History

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Monospace
Monospace directus
CPEs cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Vendors & Products Monospace
Monospace directus

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Directus
Directus directus
Vendors & Products Directus
Directus directus

Thu, 09 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Title Directus exposes sensitive fields in revision history
Weaknesses CWE-200
CWE-312
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Directus Directus
Monospace Directus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:06:06.440Z

Reserved: 2026-04-07T22:40:33.820Z

Link: CVE-2026-39943

cve-icon Vulnrichment

Updated: 2026-04-10T14:06:03.620Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T17:16:29.960

Modified: 2026-04-14T17:34:15.280

Link: CVE-2026-39943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses