{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35409", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T17:03:42.075Z", "datePublished": "2026-04-06T21:31:13.575Z", "dateUpdated": "2026-04-08T14:05:02.971Z"}, "containers": {"cna": {"title": "Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:31:13.575Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0."}], "source": {"advisory": "GHSA-wv3h-5fx7-966h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:04:19.390558Z", "id": "CVE-2026-35409", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:05:02.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35409", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:04:19.390558Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:04:34.532Z"}}], "cna": {"title": "Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import", "source": {"advisory": "GHSA-wv3h-5fx7-966h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 11.16.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h", "name": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:31:13.575Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35409", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:05:02.971Z", "dateReserved": "2026-04-02T17:03:42.075Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:31:13.575Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0."}], "id": "CVE-2026-35409", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:21.930", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.16.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-07T01:59:25.660521+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version 11.16.0 or later", "Verify your deployment has been updated by checking the version number or running a version query", "Test the file import functionality to ensure the SSRF protection is effective", "Monitor logs for any unexpected internal requests after the upgrade"], "summary": {"action": "Patch Immediately", "impact": "SSRF protection bypass enabling unintended network access"}, "threat_synthesis": {"affected_systems": "Directus products prior to version 11.16.0 are affected. Users running any Directus instance before 11.16.0 should consider themselves vulnerable.", "description_and_impact": "The vulnerability involves a Server\u2011Side Request Forgery (SSRF) protection bypass that allows attackers to use IPv4\u2011Mapped IPv6 addresses to trick Directus into making requests to local or private networks. Because the IP address validation was compromised, an attacker could cause the system to contact internal resources, potentially expose sensitive data or facilitate further attacks. This weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score is 7.7, indicating a high severity. Although EPSS is not available, the exploit is straightforward once the file\u2011import endpoint is exposed. The vulnerability is not listed in the CISA KEV catalog, but the high score suggests that attackers could target exposed Directus installations."}}}}, "created": "2026-04-07T06:53:51.833455+00:00", "updated": "2026-04-07T09:36:50.229362+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}