GHSA-jr94-gj3h-c8rf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jr94-gj3h-c8rf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-jr94-gj3h-c8rf/GHSA-jr94-gj3h-c8rf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jr94-gj3h-c8rf
- Aliases
- Published
- 2026-02-12T22:13:04Z
- Modified
- 2026-02-13T17:48:48.075974Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Directus Vulnerable to User Enumeration via Password Reset Timing Attack
- Details
-
Summary
A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
Details
The password reset endpoint implements a timing protection mechanism to prevent user enumeration; however, URL validation executes before the timing protection is applied. This allows an attacker to distinguish between valid and invalid user accounts based on response timing differences.
Impact
This vulnerability violates user privacy and may facilitate targeted phishing attacks by allowing attackers to confirm the existence of user accounts.
- Database specific
{ "nvd_published_at": "2026-02-12T22:16:07Z", "github_reviewed_at": "2026-02-12T22:13:04Z", "cwe_ids": [ "CWE-203" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
- https://nvd.nist.gov/vuln/detail/CVE-2026-26185
- https://github.com/directus/directus/pull/26485
- https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
- https://github.com/directus/directus
- https://github.com/directus/directus/releases/tag/v11.14.1
Affected packages
npm / directus
Package
- Name
- directus
- View open source insights on deps.dev
- Purl
- pkg:npm/directus
npm / @directus/api
Package
- Name
- @directus/api
- View open source insights on deps.dev
- Purl
- pkg:npm/%40directus/api