Executive Summary

CVE-2026-39943 is a vulnerability in the Directus npm package versions prior to 11.17.0 where sensitive information is exposed in revision history records stored in the directus_revisions table.

When items are created or updated, Directus saves revision snapshots, but the snapshot data was not consistently processed through the prepareDelta sanitization pipeline. This caused sensitive fields such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys to be stored in plaintext within these revision records.

The vulnerability arises because sensitive data is stored without redaction during item creation or update, and also when a user is auto-suspended after repeated failed login attempts, the raw user object containing sensitive fields is stored instead of a sanitized version.

This issue was fixed in Directus version 11.17.0 by ensuring that revision snapshots are properly sanitized before storage.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to exposure of highly sensitive information stored in the revision history, including user tokens, two-factor authentication secrets, authentication data, stored credentials, and API keys.

An attacker or unauthorized user with read access to the directus_revisions table or flow logs could retrieve this confidential data in plaintext.

The potential impacts include account takeover through stolen tokens or 2FA secrets and unauthorized use of third-party API keys, which could lead to further compromise of systems or data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the contents of the directus_revisions table in your Directus database for plaintext sensitive fields such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys.

You can use database query commands to search for these sensitive fields in the revision records. For example, if you are using a SQL database, you might run queries like:

• SELECT * FROM directus_revisions WHERE data LIKE '%token%';
• SELECT * FROM directus_revisions WHERE data LIKE '%tfa_secret%';
• SELECT * FROM directus_revisions WHERE data LIKE '%auth_data%';
• SELECT * FROM directus_revisions WHERE data LIKE '%credentials%';

These commands help identify if sensitive information is stored in plaintext within the revision history, indicating the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Directus to version 11.17.0 or later, where this vulnerability has been fixed by properly sanitizing revision snapshots before storage.

Additionally, restrict read access to the directus_revisions table and flow logs to only trusted users and services to minimize exposure of sensitive data.

Review and rotate any potentially exposed credentials, tokens, two-factor authentication secrets, and API keys that may have been stored in plaintext in the revision records.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes sensitive information such as user tokens, two-factor authentication secrets, external authentication identifiers, authentication data, stored credentials, and AI provider API keys to be stored in plaintext within revision records. Such exposure of sensitive data can lead to unauthorized access and potential account takeover.

Storing sensitive data in plaintext and exposing it to unauthorized actors can violate data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate the protection and confidentiality of personal and sensitive information.

Therefore, this vulnerability undermines compliance with these regulations by failing to adequately protect sensitive data, increasing the risk of data breaches and unauthorized disclosure.

Useful 0 Not Useful 0