GHSA-mvv8-v4jj-g47j: Sensitive Field Exposure in Directus Revision History
Vulnerability ID: GHSA-MVV8-V4JJ-G47J
CVSS Score: 6.5
Published: 2026-04-04
Directus failed to consistently sanitize sensitive fields before storing them in the directus_revisions table and logging them in Directus Flows. This allowed authentication tokens, 2FA secrets, and third-party API keys to be exposed in plaintext, potentially leading to account takeover or external API abuse.
TL;DR
Directus < 11.17.0 exposes sensitive user and API credentials in plaintext within revision history and Flow logs due to bypassed sanitization routines.
Technical Details
- CWE ID: CWE-312
- Attack Vector: Network
- CVSS v3.1: 6.5 (Medium)
- Impact: High Confidentiality
- Exploit Status: Not Publicly Available
- Affected Ecosystem: npm
Affected Systems
- Directus core components
- Directus Flows
- directus_revisions table
-
directus: < 11.17.0 (Fixed in:
11.17.0)
Code Analysis
Commit: 26c6985
Fix revisions not using prepareDelta
Mitigation Strategies
- Upgrade Directus to version 11.17.0
- Purge or redact historical records in the directus_revisions table
- Rotate all potentially exposed authentication tokens and API keys
Remediation Steps:
- Run
npm update directusto install version 11.17.0 or higher. - Audit the
directus_revisionsdatabase table for entries containing plaintext sensitive fields. - Execute an UPDATE statement to redact exposed fields (
tfa_secret,token,ai_openai_api_key, etc.) in legacy records. - Enforce a forced rotation of all API keys and 2FA secrets across the user base.
References
Read the full report for GHSA-MVV8-V4JJ-G47J on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)