GHSA-wxwm-3fxv-mrvx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wxwm-3fxv-mrvx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-wxwm-3fxv-mrvx/GHSA-wxwm-3fxv-mrvx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wxwm-3fxv-mrvx
- Aliases
-
- CVE-2026-35413
- Published
- 2026-04-04T06:10:27Z
- Modified
- 2026-04-04T06:19:03.167985Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Directus: GraphQL Schema SDL Disclosure Setting
- Details
-
Summary
When
GRAPHQL_INTROSPECTION=falseis configured, Directus correctly blocks standard GraphQL introspection queries (__schema,__type). However, theserver_specs_graphqlresolver on the/graphql/systemendpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level.Impact
Administrators who set
GRAPHQL_INTROSPECTION=falseto hide schema structure from clients would have had a false sense of security, as equivalent schema information remained accessible via the SDL endpoint without authentication.Credit
This vulnerability was discovered and reported by bugbunny.ai.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-04T06:10:27Z", "severity": "MODERATE", "nvd_published_at": null, "cwe_ids": [ "CWE-200" ] }- References
Affected packages
npm / directus
Package
- Name
- directus
- View open source insights on deps.dev
- Purl
- pkg:npm/directus