Search for vulnerabilities
| Vulnerability ID | VCID-wvhh-m37j-nff5 |
| Aliases |
CVE-2026-35442
GHSA-38hg-ww64-rrwc |
| Summary | Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries ### Summary Aggregate functions (`min`, `max`) applied to fields with the `conceal` special type incorrectly return raw database values instead of the masked placeholder. When combined with `groupBy`, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from `directus_users`. ### Details Fields marked with `conceal` are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client. ### Impact - **Account Takeover** An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials. - **2FA Bypass** TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 8.0 |
| Risk | 4.0 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00018 | https://api.first.org/data/v1/epss?cve=CVE-2026-35442 |
| cvssv3.1 | 8.1 | https://github.com/directus/directus |
| generic_textual | HIGH | https://github.com/directus/directus |
| cvssv3.1 | 8.1 | https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc |
| generic_textual | HIGH | https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc |
| ssvc | Track | https://github.com/directus/directus/security/advisories/GHSA-38hg-ww64-rrwc |
| cvssv3.1 | 8.1 | https://nvd.nist.gov/vuln/detail/CVE-2026-35442 |
| generic_textual | HIGH | https://nvd.nist.gov/vuln/detail/CVE-2026-35442 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.04825 |
| EPSS Score | 0.00018 |
| Published At | June 5, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:53:08.353694+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-38hg-ww64-rrwc/GHSA-38hg-ww64-rrwc.json | 38.6.0 |