Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v44m-ug4p-mqhv
Vulnerability ID VCID-v44m-ug4p-mqhv
Aliases CVE-2026-35412
GHSA-qqmv-5p3g-px89
Summary Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite ## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on `directus_files`, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. ## Impact - **Arbitrary file overwrite:** Any authenticated user with basic TUS upload permissions can overwrite any file in `directus_files` by UUID, regardless of row-level permission rules. - **Permanent data loss:** The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content. - **Metadata corruption:** The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in `directus_files`, a low-privilege user could replace them with malicious content. ## Workaround Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-35412
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-35412
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-35412
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-qqmv-5p3g-px89
cvssv3.1 7.1 https://github.com/directus/directus
generic_textual HIGH https://github.com/directus/directus
cvssv3.1 7.1 https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
cvssv3.1_qr HIGH https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
generic_textual HIGH https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
cvssv3.1 7.1 https://nvd.nist.gov/vuln/detail/CVE-2026-35412
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-35412
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35412
https://github.com/directus/directus
https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
https://nvd.nist.gov/vuln/detail/CVE-2026-35412
GHSA-qqmv-5p3g-px89 https://github.com/advisories/GHSA-qqmv-5p3g-px89
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Found at https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T16:23:08Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35412
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0251
EPSS Score 0.00013
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:52:51.963990+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qqmv-5p3g-px89/GHSA-qqmv-5p3g-px89.json 38.6.0