CVE-2026-39942
Published: 09 April 2026
Summary
CVE-2026-39942 is a high-severity Improper Access Control (CWE-284) vulnerability in Monospace Directus. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access to files, preventing authenticated users from overwriting other users' files via the user-controlled filename_disk parameter.
SI-10 validates user-supplied filename_disk inputs to ensure they correspond only to authorized file paths, blocking path manipulation that enables unauthorized overwrites.
AC-6 least privilege limits low-privilege (PR:L) users from performing high-impact cross-scope file overwrite operations despite authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Directus API endpoint enables remote exploitation of the application (T1190); directly allows unauthorized overwrite of stored file content and metadata tampering (T1565.001).
NVD Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker…
more
can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
Deeper analysisAI
CVE-2026-39942 affects Directus, a real-time API and app dashboard for managing SQL database content, in versions prior to 11.17.0. The vulnerability resides in the PATCH /files/{id} endpoint, which accepts a user-controlled filename_disk parameter. This allows an attacker to set the parameter to match the storage path of another user's file, enabling overwrite of that file's content. Additionally, metadata fields such as uploaded_by can be manipulated to obscure the tampering. The issue is associated with CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key), and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N).
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. By crafting a PATCH request to /files/{id} with a malicious filename_disk value pointing to a target file's storage path, the attacker overwrites the victim's file content and alters associated metadata. This results in high integrity impact (I:H) across a compromised scope (S:C), with low confidentiality impact (C:L) and no availability impact (A:N), potentially leading to data tampering in multi-tenant environments.
The vulnerability is fixed in Directus version 11.17.0. Security practitioners should upgrade to this version or later. Additional details are available in the Directus security advisory at https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95 and the release notes at https://github.com/directus/directus/releases/tag/v11.17.0.
Details
- CWE(s)