Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-m4z2-58pn-k3cb
Vulnerability ID VCID-m4z2-58pn-k3cb
Aliases CVE-2026-39943
GHSA-mvv8-v4jj-g47j
Summary Directus: Sensitive fields exposed in revision history ### Summary Directus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. ### Impact Any user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including: - `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials` - `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key` This could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users. ### Affected code paths 1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded. 2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-312 Cleartext Storage of Sensitive Information
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-39943
cvssv3.1 6.5 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 6.5 https://github.com/directus/directus/releases/tag/v11.17.0
generic_textual MODERATE https://github.com/directus/directus/releases/tag/v11.17.0
ssvc Track https://github.com/directus/directus/releases/tag/v11.17.0
cvssv3.1 6.5 https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2026-39943
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-39943
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-39943
https://github.com/directus/directus
https://github.com/directus/directus/releases/tag/v11.17.0
https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
https://nvd.nist.gov/vuln/detail/CVE-2026-39943
GHSA-mvv8-v4jj-g47j https://github.com/advisories/GHSA-mvv8-v4jj-g47j
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus/releases/tag/v11.17.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T14:06:00Z/ Found at https://github.com/directus/directus/releases/tag/v11.17.0
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T14:06:00Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-39943
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09692
EPSS Score 0.00032
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:53:09.997006+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mvv8-v4jj-g47j/GHSA-mvv8-v4jj-g47j.json 38.6.0