DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26185: Clockwatching: Enumerating Directus Users via Timing Side-Channels

#security #cve #cybersecurity

Clockwatching: Enumerating Directus Users via Timing Side-Channels

Vulnerability ID: CVE-2026-26185
CVSS Score: 5.3
Published: 2026-02-12

A logic error in the Directus password reset flow allows attackers to enumerate valid email addresses by measuring server response times. By manipulating the 'reset_url' parameter, attackers can bypass the application's anti-enumeration timing protections.

TL;DR

Directus implemented a 'stall' mechanism to hide whether a user exists during password resets. However, they validated the 'reset_url' parameter after the user lookup but before the stall for existing users. This created a 500ms timing discrepancy: existing users return an error immediately (fast), while non-existing users trigger the artificial delay (slow).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-203 (Observable Discrepancy)
  • Attack Vector: Network
  • CVSS: 5.3 (Medium)
  • Impact: Information Disclosure (User Enumeration)
  • Exploit Status: Proof of Concept (Trivial)
  • Affected Component: UsersService.requestPasswordReset

Affected Systems

  • Directus < 11.14.1
  • @directus/api < 32.2.0
  • Directus: < 11.14.1 (Fixed in: 11.14.1)
  • @directus/api: < 32.2.0 (Fixed in: 32.2.0)

Code Analysis

Commit: e69aa7a

Fix: Prevent user enumeration by validating reset URL before user lookup

@@ -558,17 +558,17 @@ export class UsersService extends ItemsService {
        const STALL_TIME = 500;
        const timeStart = performance.now();

+       if (url && isUrlAllowed(url, env['PASSWORD_RESET_URL_ALLOW_LIST'] as string) === false) {
+           throw new InvalidPayloadError({ reason: `URL "${url}" can't be used to reset passwords` });
+       }
+
        const user = await this.getUserByEmail(email);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Timing-based enumeration using Python requests library to measure response delta.

Mitigation Strategies

  • Update to the latest version of Directus immediately.
  • Monitor logs for high-frequency 400/403 errors on the password reset endpoint.

Remediation Steps:

  1. Pull the latest Docker image: directus/directus:11.14.1.
  2. Or update via npm: npm install @directus/api@32.2.0.
  3. Restart the Directus service.

References

Read the full report for CVE-2026-26185 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)