Search for vulnerabilities
| Vulnerability ID | VCID-n9br-39bb-7ugt |
| Aliases |
CVE-2026-35409
GHSA-wv3h-5fx7-966h |
| Summary | Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import ### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. ### Details Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target. This has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation. ### Impact An authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS). |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00014 | https://api.first.org/data/v1/epss?cve=CVE-2026-35409 |
| cvssv3.1 | 7.7 | https://github.com/directus/directus |
| generic_textual | HIGH | https://github.com/directus/directus |
| cvssv3.1 | 7.7 | https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h |
| generic_textual | HIGH | https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h |
| ssvc | Track | https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h |
| cvssv3.1 | 7.7 | https://nvd.nist.gov/vuln/detail/CVE-2026-35409 |
| generic_textual | HIGH | https://nvd.nist.gov/vuln/detail/CVE-2026-35409 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.02833 |
| EPSS Score | 0.00014 |
| Published At | May 29, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-29T08:48:18.758759+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wv3h-5fx7-966h/GHSA-wv3h-5fx7-966h.json | 38.6.0 |