CVE-2026-26185

Published
View on NVD ↗
CVSS v3
5.3
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.

directus/directus
directus/directus
The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.
GitHubGitHub
36.2K