CVE-2026-35409

High

Published: 06 April 2026

Published

06 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0001 2.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35409 is a high-severity SSRF (CWE-918) vulnerability in Monospace Directus. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the SSRF bypass by enforcing validation of IP addresses and URLs to block circumventions like IPv4-mapped IPv6 notation.

SC-7 Boundary Protection good match

prevent

Enforces boundary protections that monitor and control outbound communications, preventing access to local and private networks even if application validation is bypassed.

AC-4 Information Flow Enforcement good match

prevent

Controls information flows within and between systems to restrict unauthorized requests to internal resources triggered by SSRF exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF protection bypass in public-facing application (Directus) directly enables exploitation of the app to access internal resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to…

local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

Deeper analysisAI

CVE-2026-35409 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability affecting Directus, a real-time API and app dashboard for managing SQL database content. In versions prior to 11.16.0, the IP address validation mechanism intended to block requests to local and private networks could be circumvented using IPv4-mapped IPv6 address notation. This issue, classified under CWE-918, has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and was published on 2026-04-06.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. The high scope (S:C) enables the attacker to achieve high confidentiality impact (C:H) by bypassing SSRF protections, potentially allowing requests to internal local or private network resources that would otherwise be blocked.

The vulnerability is fixed in Directus version 11.16.0. Additional details are available in the GitHub security advisory at https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h.