CVE-2026-35413

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-35413

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35413.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-35413

Aliases

GHSA-wxwm-3fxv-mrvx

Published

2026-04-06T21:34:32.683Z

Modified

2026-04-09T04:09:09.246588Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Directus GraphQL Schema SDL Disclosure Setting

Details

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35413.json"
}

References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type

GIT

Repo

https://github.com/directus/directus

Events

Introduced

Fixed

40ec421fdf7a19f4ebd5dec44b5c1f7d5856304d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.16.1"
        }
    ]
}

Affected versions

10.*

10.11.2

Other

delete

list

remove

v10.*

v10.0.0

v10.1.0

v10.1.1

v10.10.0

v10.10.1

v10.10.2

v10.10.3

v10.10.4

v10.10.5

v10.10.6

v10.10.7

v10.11.0

v10.11.1

v10.11.2

v10.12.1

v10.13.0

v10.13.1

v10.13.2

v10.2.0

v10.2.1

v10.3.0

v10.4.0

v10.4.2

v10.4.3

v10.5.0

v10.5.1

v10.5.2

v10.5.3

v10.6.0

v10.6.1

v10.6.2

v10.6.3

v10.6.4

v10.7.0

v10.7.1

v10.7.2

v10.8.0

v10.8.1

v10.8.2

v10.8.3

v10.9.0

v10.9.1

v10.9.2

v10.9.3

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.1.0

v11.1.1

v11.1.2

v11.10.0

v11.10.1

v11.10.2

v11.11.0

v11.12.0

v11.13.0

v11.13.1

v11.13.2

v11.13.3

v11.13.4

v11.14.0

v11.14.1

v11.15.0

v11.15.1

v11.15.2

v11.15.3

v11.15.4

v11.16.0

v11.2.0

v11.2.1

v11.2.2

v11.3.0

v11.3.1

v11.3.2

v11.3.3

v11.3.4

v11.3.5

v11.4.0

v11.4.1

v11.5.0

v11.5.1

v11.6.0

v11.6.1

v11.7.0

v11.7.1

v11.7.2

v11.8.0

v11.9.0

v11.9.1

v11.9.2

v11.9.3

v9.*

v9.0.0

v9.0.0-alpha.10

v9.0.0-alpha.14

v9.0.0-alpha.15

v9.0.0-alpha.16

v9.0.0-alpha.17

v9.0.0-alpha.18

v9.0.0-alpha.20

v9.0.0-alpha.21

v9.0.0-alpha.22

v9.0.0-alpha.23

v9.0.0-alpha.24

v9.0.0-alpha.25

v9.0.0-alpha.26

v9.0.0-alpha.27

v9.0.0-alpha.31

v9.0.0-alpha.32

v9.0.0-alpha.33

v9.0.0-alpha.34

v9.0.0-alpha.36

v9.0.0-alpha.37

v9.0.0-alpha.38

v9.0.0-alpha.39

v9.0.0-alpha.4

v9.0.0-alpha.40

v9.0.0-alpha.41

v9.0.0-alpha.42

v9.0.0-alpha.5

v9.0.0-alpha.6

v9.0.0-alpha.7

v9.0.0-alpha.8

v9.0.0-alpha.9

v9.0.0-beta.0

v9.0.0-beta.1

v9.0.0-beta.10

v9.0.0-beta.11

v9.0.0-beta.12

v9.0.0-beta.13

v9.0.0-beta.14

v9.0.0-beta.2

v9.0.0-beta.3

v9.0.0-beta.4

v9.0.0-beta.5

v9.0.0-beta.7

v9.0.0-beta.8

v9.0.0-beta.9

v9.0.0-rc.0

v9.0.0-rc.1

v9.0.0-rc.10

v9.0.0-rc.100

v9.0.0-rc.101

v9.0.0-rc.11

v9.0.0-rc.12

v9.0.0-rc.13

v9.0.0-rc.14

v9.0.0-rc.15

v9.0.0-rc.17

v9.0.0-rc.18

v9.0.0-rc.19

v9.0.0-rc.2

v9.0.0-rc.20

v9.0.0-rc.21

v9.0.0-rc.22

v9.0.0-rc.23

v9.0.0-rc.24

v9.0.0-rc.25

v9.0.0-rc.26

v9.0.0-rc.27

v9.0.0-rc.28

v9.0.0-rc.29

v9.0.0-rc.3

v9.0.0-rc.30

v9.0.0-rc.31

v9.0.0-rc.32

v9.0.0-rc.33

v9.0.0-rc.34

v9.0.0-rc.35

v9.0.0-rc.36

v9.0.0-rc.37

v9.0.0-rc.38

v9.0.0-rc.39

v9.0.0-rc.4

v9.0.0-rc.40

v9.0.0-rc.41

v9.0.0-rc.42

v9.0.0-rc.43

v9.0.0-rc.44

v9.0.0-rc.45

v9.0.0-rc.46

v9.0.0-rc.47

v9.0.0-rc.48

v9.0.0-rc.49

v9.0.0-rc.5

v9.0.0-rc.50

v9.0.0-rc.51

v9.0.0-rc.52

v9.0.0-rc.53

v9.0.0-rc.54

v9.0.0-rc.55

v9.0.0-rc.56

v9.0.0-rc.57

v9.0.0-rc.58

v9.0.0-rc.59

v9.0.0-rc.6

v9.0.0-rc.60

v9.0.0-rc.61

v9.0.0-rc.62

v9.0.0-rc.63

v9.0.0-rc.64

v9.0.0-rc.65

v9.0.0-rc.66

v9.0.0-rc.67

v9.0.0-rc.68

v9.0.0-rc.69

v9.0.0-rc.7

v9.0.0-rc.70

v9.0.0-rc.71

v9.0.0-rc.72

v9.0.0-rc.73

v9.0.0-rc.74

v9.0.0-rc.75

v9.0.0-rc.76

v9.0.0-rc.77

v9.0.0-rc.78

v9.0.0-rc.79

v9.0.0-rc.8

v9.0.0-rc.80

v9.0.0-rc.81

v9.0.0-rc.82

v9.0.0-rc.83

v9.0.0-rc.84

v9.0.0-rc.85

v9.0.0-rc.86

v9.0.0-rc.87

v9.0.0-rc.88

v9.0.0-rc.89

v9.0.0-rc.9

v9.0.0-rc.90

v9.0.0-rc.91

v9.0.0-rc.92

v9.0.0-rc.93

v9.0.0-rc.94

v9.0.0-rc.95

v9.0.0-rc.96

v9.0.0-rc.97

v9.0.0-rc.98

v9.0.0-rc.99

v9.0.0-y.0

v9.0.1

v9.1.0

v9.1.1

v9.1.2

v9.10.0

v9.11.0

v9.11.1

v9.12.0

v9.12.1

v9.12.2

v9.13.0

v9.14.1

v9.14.2

v9.14.3

v9.14.4

v9.14.5

v9.15.0

v9.15.1

v9.16.0

v9.16.1

v9.17.0

v9.17.1

v9.17.2

v9.17.3

v9.17.4

v9.18.0

v9.18.1

v9.19.0

v9.19.1

v9.19.2

v9.2.0

v9.2.1

v9.2.2

v9.20.0

v9.20.1

v9.20.2

v9.20.3

v9.20.4

v9.21.0

v9.21.1

v9.21.2

v9.22.0

v9.22.1

v9.22.2

v9.22.3

v9.22.4

v9.23.0

v9.23.1

v9.23.2

v9.23.3

v9.23.4

v9.24.0

v9.25.0

v9.25.1

v9.25.2

v9.26.0

v9.3.0

v9.4.0

v9.4.1

v9.4.2

v9.4.3

v9.5.0

v9.5.1

v9.5.2

v9.6.0

v9.7.0

v9.7.1

v9.8.0

v9.9.0

v9.9.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-35413.json"