GHSA-393c-p46r-7c95

Suggest an improvement
Source
https://github.com/advisories/GHSA-393c-p46r-7c95
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-393c-p46r-7c95/GHSA-393c-p46r-7c95.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-393c-p46r-7c95
Aliases
  • CVE-2026-39942
Published
2026-04-04T06:06:39Z
Modified
2026-04-09T19:18:35.599562Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
Summary
Directus: Path Traversal and Broken Access Control in File Management API
Details

Summary

A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filename_disk parameter.

Details

The PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering.

Impact

  • Unauthorized File Overwrite: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
  • Remote Code Execution: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded.
  • Data Integrity Compromise: Files can be tampered with or replaced without visible indication in the application interface.

Mitigation

The filename_disk parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and filename_disk should be excluded from the fields users are permitted to update directly.

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2026-04-09T17:16:29Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-639",
        "CWE-915"
    ],
    "github_reviewed_at": "2026-04-04T06:06:39Z"
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.17.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-393c-p46r-7c95/GHSA-393c-p46r-7c95.json"