CVE-2026-35412
Published: 06 April 2026
Summary
CVE-2026-35412 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Monospace Directus. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly preventing the bypass of item-level permissions in the TUS endpoint that allowed arbitrary file overwrites by UUID.
AC-24 requires explicit access control decisions for specific resources in accordance with policies, addressing the TUS controller's failure to validate item-level access to targeted files.
AC-6 enforces least privilege, limiting authenticated users to only necessary file access and mitigating overwrites beyond row-level permission rules.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an authorization bypass in the public-facing TUS upload endpoint allowing remote authenticated attackers to overwrite arbitrary files, directly enabling exploitation of public-facing applications (T1190) and stored data manipulation via unauthorized file overwrites (T1565.001).
NVD Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS…
more
controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. This vulnerability is fixed in 11.16.1.
Deeper analysisAI
CVE-2026-35412 affects Directus, a real-time API and app dashboard for managing SQL database content, in versions prior to 11.16.1. The vulnerability resides in the TUS resumable upload endpoint (/files/tus), where the TUS controller conducts only collection-level authorization checks on the directus_files collection, confirming that an authenticated user has basic file upload permissions. However, it fails to validate item-level access to the specific file targeted for replacement via its UUID, enabling unauthorized overwrites. This issue, classified under CWE-863 (Incorrect Authorization), carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), highlighting high integrity impact with low availability disruption.
An attacker with any authenticated account possessing basic file upload permissions on the directus_files collection can exploit this remotely over the network with low complexity and no user interaction required. By leveraging the TUS endpoint, they bypass row-level permission rules—such as those restricting users to updating only their own files—that are properly enforced on the standard REST upload path. This allows overwriting arbitrary existing files by UUID, potentially compromising data integrity across the system.
The vulnerability is addressed in Directus version 11.16.1, as detailed in the official security advisory at https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89. Security practitioners should upgrade to 11.16.1 or later and review configurations for row-level permissions on file collections to mitigate exposure.
Details
- CWE(s)