CVE-2026-35410
Open Redirect Vulnerability in Directus Login Redirection
Publication date: 2026-04-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an open redirect issue in Directus versions prior to 11.16.1. It occurs in the login redirection logic where the function responsible for allowing redirects (isLoginRedirectAllowed) fails to correctly identify certain malformed URLs as external. This flaw allows attackers to bypass the redirect allow-list validation and redirect users to arbitrary external domains after they successfully authenticate.
How can this vulnerability impact me? :
The vulnerability can be exploited by attackers to redirect authenticated users to malicious external websites. This can lead to phishing attacks, where users might be tricked into providing sensitive information or downloading malware, thereby compromising user security and trust.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Directus to version 11.16.1 or later, where the open redirect issue in the login redirection logic has been fixed.