CVE-2026-35411
Open Redirect in Directus 2FA Setup Enables Phishing Attacks
Publication date: 2026-04-06
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.16.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Directus versions prior to 11.16.1 have an open redirect vulnerability on the /admin/tfa-setup page via the redirect query parameter.
When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a specially crafted URL, they see the legitimate 2FA setup page.
After completing the 2FA setup, the application redirects the user to an attacker-controlled URL specified in the redirect parameter without validating it.
This means an attacker can trick administrators into visiting a trusted page and then redirect them to a malicious site.
How can this vulnerability impact me? :
This vulnerability can be exploited in phishing attacks targeting Directus administrators.
Because the initial interaction happens on a trusted Directus domain, administrators may be more likely to trust the page and fall victim to the attack.
After setting up 2FA, the attacker can redirect the administrator to a malicious website, potentially leading to credential theft or further compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Directus to version 11.16.1 or later, where the open redirect issue via the redirect query parameter on the /admin/tfa-setup page has been fixed.