CVE-2026-26185
Undergoing Analysis Undergoing Analysis - In Progress
Timing-Based User Enumeration in Directus Password Reset Function

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26185
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monospace directus to 11.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Directus versions before 11.14.1 and involves the password reset functionality. Specifically, it is a timing-based user enumeration vulnerability where the response time differs by about 500 milliseconds depending on whether the reset_url parameter corresponds to an existing user or not. This timing difference allows an attacker to reliably determine if a user exists in the system.

Impact Analysis

The vulnerability allows attackers to enumerate valid users by measuring response times during password reset attempts. This can lead to privacy issues and potentially facilitate further attacks such as targeted phishing or brute force attempts against known user accounts.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing the response times of the password reset functionality when providing different reset_url parameters. Specifically, by sending requests with invalid reset_url parameters for both existing and non-existing users, you can measure the response time difference of approximately 500ms, which indicates the presence of the timing-based user enumeration vulnerability.

Commands to detect this might involve using tools like curl or any HTTP client to send password reset requests and measure response times. For example, using curl with time measurement options to compare responses for different users.

  • curl -w "%{time_total}\n" -o /dev/null -s "https://your-directus-instance.com/password-reset?reset_url=invalid_for_existing_user"
  • curl -w "%{time_total}\n" -o /dev/null -s "https://your-directus-instance.com/password-reset?reset_url=invalid_for_non_existing_user"

By comparing the total time taken for these requests, a consistent difference of about 500ms suggests the vulnerability is present.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Directus to version 11.14.1 or later, where this timing-based user enumeration vulnerability in the password reset functionality has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart