GHSA-38hg-ww64-rrwc

Suggest an improvement
Source
https://github.com/advisories/GHSA-38hg-ww64-rrwc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-38hg-ww64-rrwc/GHSA-38hg-ww64-rrwc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-38hg-ww64-rrwc
Aliases
  • CVE-2026-35442
Published
2026-04-04T06:13:57Z
Modified
2026-04-04T06:33:34.299359Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Details

Summary

Aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users.

Details

Fields marked with conceal are protected by payload processing logic that replaces real values with a masked placeholder on read. This protection works correctly for standard item queries, but aggregate query results are structured differently, operations are nested under their function name rather than appearing as flat field keys. The masking logic does not account for this nested structure, causing it to silently skip concealed fields in aggregate responses and return their raw values to the client.

Impact

  • Account Takeover An authenticated attacker can harvest static API tokens for all users, including administrators, enabling immediate authentication as any account without credentials.

  • 2FA Bypass TOTP seeds stored in directus_users can similarly be extracted, allowing an attacker to bypass two-factor authentication for any account.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:13:57Z",
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200",
        "CWE-863"
    ]
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.17.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-38hg-ww64-rrwc/GHSA-38hg-ww64-rrwc.json"