Cyber Resilience

CVE-2026-35409

High

Published: 06 April 2026

Published
06 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0001 2.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35409 is a high-severity SSRF (CWE-918) vulnerability in Monospace Directus. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-35409 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability affecting Directus, a real-time API and app dashboard for managing SQL database content. In versions prior to 11.16.0, the IP address validation mechanism intended to block requests to local and private networks could be circumvented using IPv4-mapped IPv6 address notation. This issue, classified under CWE-918, has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and was published on 2026-04-06.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. The high scope (S:C) enables the attacker to achieve high confidentiality impact (C:H) by bypassing SSRF protections, potentially allowing requests to internal local or private network resources that would otherwise be blocked.

The vulnerability is fixed in Directus version 11.16.0. Additional details are available in the GitHub security advisory at https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h.

EU & UK References

Vulnerability details

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to…

more

local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF protection bypass in public-facing application (Directus) directly enables exploitation of the app to access internal resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35442Same product: Monospace Directus
CVE-2026-39942Same product: Monospace Directus
CVE-2025-30353Same product: Monospace Directus
CVE-2026-35408Same product: Monospace Directus
CVE-2026-35412Same product: Monospace Directus
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918

Affected Assets

monospace
directus
≤ 11.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF bypass by enforcing validation of IP addresses and URLs to block circumventions like IPv4-mapped IPv6 notation.

prevent

Enforces boundary protections that monitor and control outbound communications, preventing access to local and private networks even if application validation is bypassed.

prevent

Controls information flows within and between systems to restrict unauthorized requests to internal resources triggered by SSRF exploitation.

References