GHSA-qqmv-5p3g-px89 (CVE-2026-35412)

Details

Summary

Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

Impact

Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.
Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

Workaround

Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Affected Packages

directus

npm

Fixed in:

11.16.1

References

ADVISORY

https://github.com/advisories/GHSA-qqmv-5p3g-px89

PACKAGE

https://github.com/directus/directus

WEB

https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-35412