CVE-2026-35411
Received Received - Intake
Open Redirect in Directus 2FA Setup Enables Phishing Attacks

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35411
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monospace directus to 11.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Directus versions prior to 11.16.1 have an open redirect vulnerability on the /admin/tfa-setup page via the redirect query parameter.

When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a specially crafted URL, they see the legitimate 2FA setup page.

After completing the 2FA setup, the application redirects the user to an attacker-controlled URL specified in the redirect parameter without validating it.

This means an attacker can trick administrators into visiting a trusted page and then redirect them to a malicious site.

Impact Analysis

This vulnerability can be exploited in phishing attacks targeting Directus administrators.

Because the initial interaction happens on a trusted Directus domain, administrators may be more likely to trust the page and fall victim to the attack.

After setting up 2FA, the attacker can redirect the administrator to a malicious website, potentially leading to credential theft or further compromise.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Directus to version 11.16.1 or later, where the open redirect issue via the redirect query parameter on the /admin/tfa-setup page has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart