CVE-2026-35408
Published: 06 April 2026
Summary
CVE-2026-35408 is a high-severity Origin Validation Error (CWE-346) vulnerability in Monospace Directus. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires organization-defined protections such as COOP headers on publicly accessible SSO login pages to prevent cross-origin window manipulation and OAuth flow interception.
Mandates secure configuration settings including Cross-Origin-Opener-Policy headers on Directus SSO login pages to enforce cross-origin isolation.
Ensures identification, reporting, and correction of the specific flaw involving missing COOP headers through timely patching to Directus 11.17.0 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Directus web app enables OAuth flow manipulation on SSO pages due to missing COOP header, directly facilitating exploitation for initial access and theft of application access tokens.
NVD Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus…
more
login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0.
Deeper analysisAI
CVE-2026-35408 affects Directus, a real-time API and app dashboard for managing SQL database content, in versions prior to 11.17.0. The vulnerability stems from the absence of a Cross-Origin-Opener-Policy (COOP) HTTP response header on Directus's Single Sign-On (SSO) login pages. This omission allows a malicious cross-origin window that opens the Directus login page to retain access to and manipulate the window object of that page, violating expected cross-origin isolation. The issue is rated with a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-346 (Origin Validation Error) and CWE-693 (Protection Mechanism Failure).
An attacker can exploit this vulnerability over the network with no privileges required and no direct user interaction, though it demands high attack complexity. By opening a malicious cross-origin window that loads the Directus SSO login page, the attacker gains the ability to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client. This tricks the victim into unknowingly granting the attacker access to their authentication provider account, such as Google or Discord, resulting in high confidentiality and integrity impacts through unauthorized account access.
The vulnerability is fixed in Directus version 11.17.0, which presumably adds the required COOP header to mitigate cross-origin window manipulation. Additional details on mitigation and patching are available in the GitHub Security Advisory at https://github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99. Security practitioners should upgrade to 11.17.0 or later and verify header configurations on SSO endpoints.
Details
- CWE(s)