Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39943.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"cpe": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
]
}