CVE-2026-35442
Published: 06 April 2026
Summary
CVE-2026-35442 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Monospace Directus. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely identification, testing, and installation of the vendor patch (version 11.17.0) that corrects aggregate functions returning raw values from concealed fields.
Enforces approved authorizations to prevent authenticated users with read access from extracting concealed sensitive data via aggregate functions combined with groupBy queries.
Monitors API queries and responses for unauthorized disclosure of concealed field values like API tokens and 2FA secrets, enabling detection of exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the network-accessible Directus API enables authenticated users to bypass field concealment via aggregate/groupBy queries, directly facilitating exploitation of a public-facing application (T1190) to extract and steal application access tokens and other sensitive credentials from the database (T1528).
NVD Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined…
more
with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.
Deeper analysisAI
CVE-2026-35442 affects Directus, a real-time API and app dashboard for managing SQL database content, in versions prior to 11.17.0. The vulnerability arises when aggregate functions such as min or max are applied to fields configured with the "conceal" special type; instead of returning the expected masked placeholder, these functions expose raw database values. This issue, linked to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-863 (Incorrect Authorization), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
Any authenticated user with read access to the affected collection can exploit this flaw over the network with low complexity and no user interaction required. By combining aggregate functions like min or max with groupBy queries, attackers can extract sensitive concealed field values, such as static API tokens and two-factor authentication secrets stored in the directus_users table, potentially enabling further unauthorized access or privilege escalation.
The Directus security advisory at https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc confirms the issue and states that it is fixed in version 11.17.0, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)