AgenceEvana
Back to bulletins
High2026-04-01CVSS 7.1CVE-2026-35412 (2026-04-01)directuscmsheadlessauthenticationuploadweb

CVE-2026-35412 — Directus: TUS Upload Authentication Bypass

A broken authorization check in Directus's TUS upload handler (versions prior to 11.16.1) allows a low-privilege authenticated user to overwrite arbitrary files on the server, including system or configuration files.

Context

On April 1, 2026, an authentication bypass vulnerability was disclosed in Directus, the widely adopted open source headless CMS used in modern web projects. The flaw affects the TUS (Tus Resumable Upload Protocol) upload handler, allowing an attacker with a basic user account to overwrite arbitrary files on the server.

Affected Versions

  • Directus all versions prior to 11.16.1

Fixed version: 11.16.1

Exploitation Mechanism

TUS is a resumable upload protocol that Directus uses to handle large file uploads. Directus's TUS handler does not correctly validate permissions when resuming an upload:

  1. An authenticated attacker (even with a very low-privilege role) initiates a TUS upload
  2. They manipulate the resume identifier (Upload-ID) to target an existing file on the server
  3. The server overwrites the target file without verifying whether the user has permission to modify it

Files potentially at risk include configuration files, templates, or any file accessible by the Directus Node.js process.

Impact

Depending on the server configuration and Directus process permissions, exploitation may allow:

  • Overwriting Directus configuration files (.env, config.js)
  • Replacing static files served by the application
  • Privilege escalation if authorization configuration files can be modified
  • Denial of service by corrupting files critical to the application

The actual impact depends heavily on the deployment structure and system permissions of the Directus process.

Detection

# Check installed Directus version
npx directus --version
# or in package.json
grep '"directus"' package.json

# Search for suspicious TUS uploads in logs
# (uploads to unexpected paths or by low-privilege users)
grep -i "tus\|upload" /var/log/directus/app.log | grep -v "200\|201"

Remediation

  1. Update Directus to version 11.16.1 or later:

    npm install directus@latest
# or specific version
npm install directus@11.16.1

  2. Verify the integrity of critical files — compare configuration file checksums against known-good versions

  3. Restrict Directus process permissions at the system level — the process should only have write access to strictly necessary directories (uploads/, extensions/):

    # Example: restrict write access outside the uploads folder
chmod 755 /app
chmod 755 /app/config
chown -R directus:directus /app/uploads

  4. Audit Directus user roles and permissions — remove unused accounts or accounts with excessive privileges

Recommendations

  • Principle of least privilege — the application process should never have write access to its own configuration files in production
  • Containerize Directus — a Docker container with a read-only filesystem (except the uploads volume) significantly reduces the attack surface
  • Monitor file modifications using an integrity tool (AIDE, Tripwire, or simply inotifywait) on critical configuration files
  • Establish an update policy for headless CMS instances — production Directus instances must be actively kept up to date
Back to bulletins