What is CVE-2026-35410?

CVE-2026-35410 is a medium-severity vulnerability in Directus, classified under Incomplete List of Disallowed Inputs. CVSS score: 6.1/10. Published 2026-04-06.

How severe is CVE-2026-35410?

Medium severity. CVSS v3 base score is 6.1 out of 10.

Open Redirect in Directus

CVE-2026-35410

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certai…

EPSS: 0.000 (3.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Affected products

Directus — versions < 11.16.1

Weakness classification (CWE)

CWE-184 — Incomplete List of Disallowed Inputs
CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-35410?: CVE-2026-35410 is a medium-severity vulnerability in Directus, classified under Incomplete List of Disallowed Inputs. CVSS score: 6.1/10. Published 2026-04-06.
How severe is CVE-2026-35410?: Medium severity. CVSS v3 base score is 6.1 out of 10.