CVE-2026-39943
Sensitive Data Exposure in Directus Revisions via Missing Sanitization
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39943 is a vulnerability in the Directus npm package versions prior to 11.17.0 where sensitive information is exposed in revision history records stored in the directus_revisions table.
When items are created or updated, Directus saves revision snapshots, but the snapshot data was not consistently processed through the prepareDelta sanitization pipeline. This caused sensitive fields such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys to be stored in plaintext within these revision records.
The vulnerability arises because sensitive data is stored without redaction during item creation or update, and also when a user is auto-suspended after repeated failed login attempts, the raw user object containing sensitive fields is stored instead of a sanitized version.
This issue was fixed in Directus version 11.17.0 by ensuring that revision snapshots are properly sanitized before storage.
How can this vulnerability impact me? :
This vulnerability can lead to exposure of highly sensitive information stored in the revision history, including user tokens, two-factor authentication secrets, authentication data, stored credentials, and API keys.
An attacker or unauthorized user with read access to the directus_revisions table or flow logs could retrieve this confidential data in plaintext.
The potential impacts include account takeover through stolen tokens or 2FA secrets and unauthorized use of third-party API keys, which could lead to further compromise of systems or data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the contents of the directus_revisions table in your Directus database for plaintext sensitive fields such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys.
You can use database query commands to search for these sensitive fields in the revision records. For example, if you are using a SQL database, you might run queries like:
- SELECT * FROM directus_revisions WHERE data LIKE '%token%';
- SELECT * FROM directus_revisions WHERE data LIKE '%tfa_secret%';
- SELECT * FROM directus_revisions WHERE data LIKE '%auth_data%';
- SELECT * FROM directus_revisions WHERE data LIKE '%credentials%';
These commands help identify if sensitive information is stored in plaintext within the revision history, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Directus to version 11.17.0 or later, where this vulnerability has been fixed by properly sanitizing revision snapshots before storage.
Additionally, restrict read access to the directus_revisions table and flow logs to only trusted users and services to minimize exposure of sensitive data.
Review and rotate any potentially exposed credentials, tokens, two-factor authentication secrets, and API keys that may have been stored in plaintext in the revision records.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes sensitive information such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys to be stored in plaintext within revision records. Such exposure of sensitive data can lead to unauthorized access and potential account takeover.
Storing sensitive data in plaintext and exposing it to unauthorized actors can violate data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate the protection and confidentiality of personal and sensitive information.
Therefore, this vulnerability undermines compliance with these regulations by failing to adequately protect sensitive data, increasing the risk of data breaches and unauthorized disclosure.