CVE-2026-35411

Directus is an Open Redirect in Admin 2FA Setup Page

Assigner: GitHub_M
Reserved: 02.04.2026 Published: 06.04.2026 Updated: 07.04.2026

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	directus
Product	directus
Versions	Version < 11.16.1 is affected

Vendor

directus

Product

directus

Versions

Version < 11.16.1 is affected

References

Problem Types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE

CVE-2026-35411 PUBLISHED

Directus is an Open Redirect in Admin 2FA Setup Page

Metrics

Product Status

References

Problem Types