Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zjtb-sh5z-h3gg
Vulnerability ID VCID-zjtb-sh5z-h3gg
Aliases CVE-2026-26185
GHSA-jr94-gj3h-c8rf
Summary Directus Vulnerable to User Enumeration via Password Reset Timing Attack ### Summary A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. ### Details The password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences. ### Impact This vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence of user accounts.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-203 Observable Discrepancy
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-26185
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-jr94-gj3h-c8rf
cvssv3.1 5.3 https://github.com/directus/directus
generic_textual MODERATE https://github.com/directus/directus
cvssv3.1 5.3 https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
generic_textual MODERATE https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
ssvc Track https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
cvssv3.1 5.3 https://github.com/directus/directus/pull/26485
generic_textual MODERATE https://github.com/directus/directus/pull/26485
ssvc Track https://github.com/directus/directus/pull/26485
cvssv3.1 5.3 https://github.com/directus/directus/releases/tag/v11.14.1
generic_textual MODERATE https://github.com/directus/directus/releases/tag/v11.14.1
ssvc Track https://github.com/directus/directus/releases/tag/v11.14.1
cvssv3.1 5.3 https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
cvssv3.1_qr MODERATE https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
generic_textual MODERATE https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
ssvc Track https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-26185
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-26185
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-26185
https://github.com/directus/directus
https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
https://github.com/directus/directus/pull/26485
https://github.com/directus/directus/releases/tag/v11.14.1
https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
https://nvd.nist.gov/vuln/detail/CVE-2026-26185
GHSA-jr94-gj3h-c8rf https://github.com/advisories/GHSA-jr94-gj3h-c8rf
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/ Found at https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/pull/26485
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/ Found at https://github.com/directus/directus/pull/26485
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/releases/tag/v11.14.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/ Found at https://github.com/directus/directus/releases/tag/v11.14.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-26185
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0267
EPSS Score 0.00014
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T08:51:51.088791+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-jr94-gj3h-c8rf/GHSA-jr94-gj3h-c8rf.json 38.6.0