Search for vulnerabilities
| Vulnerability ID | VCID-9qru-zceb-8kb2 |
| Aliases |
CVE-2026-35413
GHSA-wxwm-3fxv-mrvx |
| Summary | Directus: GraphQL Schema SDL Disclosure Setting ## Summary When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly blocks standard GraphQL introspection queries (`__schema`, `__type`). However, the `server_specs_graphql` resolver on the `/graphql/system` endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. ## Impact Administrators who set `GRAPHQL_INTROSPECTION=false` to hide schema structure from clients would have had a false sense of security, as equivalent schema information remained accessible via the SDL endpoint without authentication. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai). |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00018 | https://api.first.org/data/v1/epss?cve=CVE-2026-35413 |
| cvssv3.1 | 5.3 | https://github.com/directus/directus |
| generic_textual | MODERATE | https://github.com/directus/directus |
| cvssv3.1 | 5.3 | https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx |
| generic_textual | MODERATE | https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx |
| ssvc | Track | https://github.com/directus/directus/security/advisories/GHSA-wxwm-3fxv-mrvx |
| cvssv3.1 | 5.3 | https://nvd.nist.gov/vuln/detail/CVE-2026-35413 |
| generic_textual | MODERATE | https://nvd.nist.gov/vuln/detail/CVE-2026-35413 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.0489 |
| EPSS Score | 0.00018 |
| Published At | June 5, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:53:01.198101+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wxwm-3fxv-mrvx/GHSA-wxwm-3fxv-mrvx.json | 38.6.0 |