Back to overview

CVE-2026-61836

HIGH
8.6
CVSS 3.1
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.

Metadata

CVE ID
CVE-2026-61836
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-10 20:28 UTC
Published
2026-07-15 14:17 UTC
Last updated
2026-07-15 14:17 UTC
Primary CWE
CWE-524
CWE-524: Use of Cache Containing Sensitive Information
Vendor / Product
directus / directus
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
directus directus < 12.0.0
Weakness (CWE)
CWESourceDescription
CWE-524 cna CWE-524: Use of Cache Containing Sensitive Information
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.6 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References (4)
Back to overview