CVE-2026-35410 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-35410

CVE-2026-35410

Published:April 06, 2026

Updated:April 20, 2026

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1.

Affected Packages

directus (NPM):

Affected version(s) >=0.1.0-preview.1 <11.16.1

Fix Suggestion:

Update to version 11.16.1

Related Resources (3)

https://github.com/directus/directus

https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj

https://nvd.nist.gov/vuln/detail/CVE-2026-35410

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Input Validation

CWE-20

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Incomplete List of Disallowed Inputs

CWE-184

EPSS

Base Score:

0.04

Products

Solutions

Resources

Company

Compare

Developer Tools