CVE-2026-35413
Received Received - Intake
GraphQL Introspection Bypass in Directus Exposes Schema Data

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monospace directus to 11.16.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Directus versions prior to 11.16.1 when the configuration GRAPHQL_INTROSPECTION=false is set. Although standard GraphQL introspection queries (__schema, __type) are blocked as intended, the server_specs_graphql resolver on the /graphql/system endpoint still returns an equivalent schema representation. This bypasses the introspection restriction and exposes the database schema structure, including collection names, field names, types, and relationships.

The exposure occurs to unauthenticated users at the public permission level and to authenticated users at their permitted permission level.

This issue was fixed in Directus version 11.16.1.

Impact Analysis

The vulnerability allows unauthorized users to gain access to the database schema structure, which includes collection names, field names, types, and relationships.

This exposure can aid attackers in understanding the database layout, potentially facilitating further attacks such as data extraction, privilege escalation, or targeted exploitation.

Since the vulnerability has a CVSS base score of 5.3 with network attack vector and no privileges required, it represents a moderate risk.

Mitigation Strategies

To mitigate this vulnerability, upgrade Directus to version 11.16.1 or later, where the issue is fixed.

Compliance Impact

This vulnerability exposes the schema structure of the database, including collection names, field names, types, and relationships, to unauthenticated and authenticated users beyond intended restrictions.

Such exposure of database schema information could potentially increase the risk of unauthorized data access or data leakage, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data and limiting access.

However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart