GHSA-qqmv-5p3g-px89

Suggest an improvement
Source
https://github.com/advisories/GHSA-qqmv-5p3g-px89
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qqmv-5p3g-px89/GHSA-qqmv-5p3g-px89.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qqmv-5p3g-px89
Aliases
  • CVE-2026-35412
Published
2026-04-04T06:11:18Z
Modified
2026-04-04T06:18:55.432852Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
Details

Summary

Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

Impact

  • Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.
  • Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
  • Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

Workaround

Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:11:18Z",
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.16.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qqmv-5p3g-px89/GHSA-qqmv-5p3g-px89.json"