Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploadedby to obscure the tampering. This vulnerability is fixed in 11.17.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-284",
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39942.json"
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"cpe": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*"
}