CVE-2026-35408

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-35408

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35408.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-35408

Aliases

GHSA-8m32-p958-jg99

Published

2026-04-06T21:30:22.824Z

Modified

2026-04-08T12:15:15.695298Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Directus is Missing Cross-Origin Opener Policy

Details

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346",
        "CWE-693"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35408.json"
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type

GIT

Repo

https://github.com/directus/directus

Events

Introduced

Fixed

dfb2db349f84b67a85565cbc009b8c658f130ce9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.17.0"
        }
    ]
}

Affected versions

10.*

10.11.2

Other

delete

list

remove

v10.*

v10.0.0

v10.1.0

v10.1.1

v10.10.0

v10.10.1

v10.10.2

v10.10.3

v10.10.4

v10.10.5

v10.10.6

v10.10.7

v10.11.0

v10.11.1

v10.11.2

v10.12.1

v10.13.0

v10.13.1

v10.13.2

v10.2.0

v10.2.1

v10.3.0

v10.4.0

v10.4.2

v10.4.3

v10.5.0

v10.5.1

v10.5.2

v10.5.3

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.7.0

v10.7.1

v10.7.2

v10.8.0

v10.8.1

v10.8.2

v10.8.3

v10.9.0

v10.9.1

v10.9.2

v10.9.3

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.1.0

v11.1.1

v11.1.2

v11.10.0

v11.10.1

v11.10.2

v11.11.0

v11.12.0

v11.13.0

v11.13.1

v11.13.2

v11.13.3

v11.13.4

v11.14.0

v11.14.1

v11.15.0

v11.15.1

v11.15.2

v11.15.3

v11.15.4

v11.16.0

v11.16.1

v11.2.0

v11.2.1

v11.2.2

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.3.4

v11.3.5

v11.4.0

v11.4.1

v11.5.0

v11.5.1

v11.6.0

v11.6.1

v11.7.0

v11.7.1

v11.7.2

v11.8.0

v11.9.0

v11.9.1

v11.9.2

v11.9.3

v9.*

v9.0.0

v9.0.0-alpha.10

v9.0.0-alpha.14

v9.0.0-alpha.15

v9.0.0-alpha.16

v9.0.0-alpha.17

v9.0.0-alpha.18

v9.0.0-alpha.20

v9.0.0-alpha.21

v9.0.0-alpha.22

v9.0.0-alpha.23

v9.0.0-alpha.24

v9.0.0-alpha.25

v9.0.0-alpha.26

v9.0.0-alpha.27

v9.0.0-alpha.31

v9.0.0-alpha.32

v9.0.0-alpha.33

v9.0.0-alpha.34

v9.0.0-alpha.36

v9.0.0-alpha.37

v9.0.0-alpha.38

v9.0.0-alpha.39

v9.0.0-alpha.4

v9.0.0-alpha.40

v9.0.0-alpha.41

v9.0.0-alpha.42

v9.0.0-alpha.5

v9.0.0-alpha.6

v9.0.0-alpha.7

v9.0.0-alpha.8

v9.0.0-alpha.9

v9.0.0-beta.0

v9.0.0-beta.1

v9.0.0-beta.10

v9.0.0-beta.11

v9.0.0-beta.12

v9.0.0-beta.13

v9.0.0-beta.14

v9.0.0-beta.2

v9.0.0-beta.3

v9.0.0-beta.4

v9.0.0-beta.5

v9.0.0-beta.7

v9.0.0-beta.8

v9.0.0-beta.9

v9.0.0-rc.0

v9.0.0-rc.1

v9.0.0-rc.10

v9.0.0-rc.100

v9.0.0-rc.101

v9.0.0-rc.11

v9.0.0-rc.12

v9.0.0-rc.13

v9.0.0-rc.14

v9.0.0-rc.15

v9.0.0-rc.17

v9.0.0-rc.18

v9.0.0-rc.19

v9.0.0-rc.2

v9.0.0-rc.20

v9.0.0-rc.21

v9.0.0-rc.22

v9.0.0-rc.23

v9.0.0-rc.24

v9.0.0-rc.25

v9.0.0-rc.26

v9.0.0-rc.27

v9.0.0-rc.28

v9.0.0-rc.29

v9.0.0-rc.3

v9.0.0-rc.30

v9.0.0-rc.31

v9.0.0-rc.32

v9.0.0-rc.33

v9.0.0-rc.34

v9.0.0-rc.35

v9.0.0-rc.36

v9.0.0-rc.37

v9.0.0-rc.38

v9.0.0-rc.39

v9.0.0-rc.4

v9.0.0-rc.40

v9.0.0-rc.41

v9.0.0-rc.42

v9.0.0-rc.43

v9.0.0-rc.44

v9.0.0-rc.45

v9.0.0-rc.46

v9.0.0-rc.47

v9.0.0-rc.48

v9.0.0-rc.49

v9.0.0-rc.5

v9.0.0-rc.50

v9.0.0-rc.51

v9.0.0-rc.52

v9.0.0-rc.53

v9.0.0-rc.54

v9.0.0-rc.55

v9.0.0-rc.56

v9.0.0-rc.57

v9.0.0-rc.58

v9.0.0-rc.59

v9.0.0-rc.6

v9.0.0-rc.60

v9.0.0-rc.61

v9.0.0-rc.62

v9.0.0-rc.63

v9.0.0-rc.64

v9.0.0-rc.65

v9.0.0-rc.66

v9.0.0-rc.67

v9.0.0-rc.68

v9.0.0-rc.69

v9.0.0-rc.7

v9.0.0-rc.70

v9.0.0-rc.71

v9.0.0-rc.72

v9.0.0-rc.73

v9.0.0-rc.74

v9.0.0-rc.75

v9.0.0-rc.76

v9.0.0-rc.77

v9.0.0-rc.78

v9.0.0-rc.79

v9.0.0-rc.8

v9.0.0-rc.80

v9.0.0-rc.81

v9.0.0-rc.82

v9.0.0-rc.83

v9.0.0-rc.84

v9.0.0-rc.85

v9.0.0-rc.86

v9.0.0-rc.87

v9.0.0-rc.88

v9.0.0-rc.89

v9.0.0-rc.9

v9.0.0-rc.90

v9.0.0-rc.91

v9.0.0-rc.92

v9.0.0-rc.93

v9.0.0-rc.94

v9.0.0-rc.95

v9.0.0-rc.96

v9.0.0-rc.97

v9.0.0-rc.98

v9.0.0-rc.99

v9.0.0-y.0

v9.0.1

v9.1.0

v9.1.1

v9.1.2

v9.10.0

v9.11.0

v9.11.1

v9.12.0

v9.12.1

v9.12.2

v9.13.0

v9.14.1

v9.14.2

v9.14.3

v9.14.4

v9.14.5

v9.15.0

v9.15.1

v9.16.0

v9.16.1

v9.17.0

v9.17.1

v9.17.2

v9.17.3

v9.17.4

v9.18.0

v9.18.1

v9.19.0

v9.19.1

v9.19.2

v9.2.0

v9.2.1

v9.2.2

v9.20.0

v9.20.1

v9.20.2

v9.20.3

v9.20.4

v9.21.0

v9.21.1

v9.21.2

v9.22.0

v9.22.1

v9.22.2

v9.22.3

v9.22.4

v9.23.0

v9.23.1

v9.23.2

v9.23.3

v9.23.4

v9.24.0

v9.25.0

v9.25.1

v9.25.2

v9.26.0

v9.3.0

v9.4.0

v9.4.1

v9.4.2

v9.4.3

v9.5.0

v9.5.1

v9.5.2

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

v9.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35408.json"