Detections
Analytics

CVE-2026-26185

medium

Description

Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.

References

https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf

https://github.com/directus/directus/releases/tag/v11.14.1

https://github.com/directus/directus/pull/26485

https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a

Details

Source: Mitre, NVD

Published: 2026-02-12

Updated: 2026-02-13

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00009