Compliance Impact

The vulnerability allows an attacker to overwrite files and manipulate metadata such as uploaded_by, which compromises data integrity and can conceal tampering.

This unauthorized modification and potential data corruption can lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require maintaining data integrity and preventing unauthorized access or alteration.

Additionally, if exploited to deploy malicious extensions leading to remote code execution, it could further violate security requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-39942 is a high-severity broken access control vulnerability in the Directus file management API affecting versions prior to 11.17.0.

The vulnerability exists in the PATCH /files/{id} endpoint, which accepts a user-controlled parameter called filename_disk.

An attacker can manipulate filename_disk to match the storage path of another user's file, allowing them to overwrite that file's content and alter metadata fields such as uploaded_by to hide the tampering.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized file overwrites, enabling attackers to replace legitimate files with malicious content.

Potential impacts include malware propagation, data corruption, and compromised data integrity since files can be modified or replaced without visible indication in the application interface.

If the storage backend is shared with the extensions directory, attackers can deploy malicious extensions that execute arbitrary code, leading to remote code execution.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Directus instance is running a version prior to 11.17.0 and if the PATCH /files/{id} endpoint is accessible with the filename_disk parameter being user-controllable.

You can check the Directus version by running a command on the server hosting Directus, for example:

• Check the installed Directus version via npm: npm list directus
• Or check the version in the Directus UI or API response headers if available.

To detect exploitation attempts or suspicious activity, monitor HTTP PATCH requests to the /files/{id} endpoint and look for unusual or unauthorized changes to the filename_disk parameter or metadata fields like uploaded_by.

Example command to monitor logs for suspicious PATCH requests (assuming logs are stored in /var/log/directus/access.log):

• grep 'PATCH /files/' /var/log/directus/access.log | grep filename_disk

Additionally, network monitoring tools or web application firewalls (WAF) can be configured to alert on PATCH requests modifying file storage paths.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Directus to version 11.17.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the PATCH /files/{id} endpoint to trusted users only and monitor for suspicious activity.

Additional mitigation includes server-side enforcement to treat filename_disk as a server-controlled value, ensuring uniqueness of storage paths, and excluding filename_disk from user-updatable fields.

Implement access controls and audit logging to detect and prevent unauthorized file overwrites.

Useful 0 Not Useful 0