Directus, Open Redirect, CVE-2026-XXXXX (Moderate severity)

Listen to this Post

The vulnerability is an unvalidated open redirect within the Directus Admin App’s Two-Factor Authentication (2FA) setup flow. It is triggered on the `/admin/tfa-setup` endpoint using a `redirect` query parameter. When an administrator who has not yet configured 2FA accesses a maliciously crafted URL like https://trusted.directus.com/admin/tfa-setup?redirect=https://attacker.com`, the legitimate Directus 2FA setup page is displayed. The user, trusting the domain, proceeds with the 2FA enrollment process. Upon successful completion, the application executes an HTTP redirect to the URL specified in the `redirect` parameter without any validation. The user’s browser is then silently forwarded to the attacker-controlled domain. The vulnerability stems from the application’s failure to validate the redirect target against an internal allowlist or the same-origin policy. This issue can be exploited by any unauthenticated remote attacker, as it only requires the victim to click a crafted link. The attack chain effectively bypasses the trust associated with the original domain, turning it into a phishing vector. A fix would involve implementing strict validation of the `redirect` parameter, allowing only relative paths or pre-approved safe domains.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Directus App
Version: Affected versions
Vulnerability : Open Redirect
Severity: Moderate (4.3)
date: 2026-04-02
<h2 style="color: blue;">Prediction: Patch by 2026-04-16</h2>
<h2 style="color: blue;">Analytics under What Undercode Say:</h2>
The vulnerability can be detected by monitoring for outbound redirects to uncommon external domains after a 2FA setup event. Analytics can also track the ratio of the `redirect` parameter value to known, safe internal paths. A simple bash script to test for the vulnerability:

!/bin/bash
TARGET_URL="https://your-directus-instance.com/admin/tfa-setup?redirect=https://evil.com"
curl -v -L "$TARGET_URL" 2>&1 | grep -i "location: https://evil.com"

If the server responds with a `302 Found` and a `Location` header pointing toevil.com`, the system is vulnerable.

How Exploit:

An attacker sends a phishing email containing the crafted URL to a target administrator. The victim clicks the link, completes 2FA on the legitimate site, and is then redirected to the attacker’s page. This can be used to steal session tokens or OAuth codes if the malicious page mimics an error message asking the user to re-authenticate.

Protection from this CVE:

Upgrade Directus to the latest patched version once released. As a workaround, implement a reverse proxy rule to block any request to `/admin/tfa-setup` containing a `redirect` parameter that points to an external domain. Alternatively, manually validate the `redirect` value in the application code to ensure it is a relative path.

Impact:

The primary impact is the erosion of user trust, making the Directus instance a launchpad for sophisticated phishing attacks. This can lead to credential theft and unauthorized access to the administrative panel, compromising the entire content management system and its underlying data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top