{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39943", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.820Z", "datePublished": "2026-04-09T16:12:09.963Z", "dateUpdated": "2026-04-10T14:06:06.440Z"}, "containers": {"cna": {"title": "Directus exposes sensitive fields in revision history", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"}, {"name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:12:09.963Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-mvv8-v4jj-g47j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:06:00.499034Z", "id": "CVE-2026-39943", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:06.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:06:00.499034Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:03.620Z"}}], "cna": {"title": "Directus exposes sensitive fields in revision history", "source": {"advisory": "GHSA-mvv8-v4jj-g47j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 11.17.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "name": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/directus/directus/releases/tag/v11.17.0", "name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:12:09.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39943", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:06:06.440Z", "dateReserved": "2026-04-07T22:40:33.820Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:12:09.963Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F2EBB337-0000-4792-940F-DAEFCFC17747", "versionEndExcluding": "11.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "id": "CVE-2026-39943", "lastModified": "2026-04-14T17:34:15.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:29.960", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-14T18:29:06.661685+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version 11.17.0 or later"], "summary": {"action": "Immediate Patch", "impact": "Sensitive data exposure"}, "threat_synthesis": {"affected_systems": "Directus, versions before 11.17.0, where revision history records were not properly sanitized. The issue resolves in Directus 11.17.0 and later.", "description_and_impact": "The vulnerability allows sensitive data such as user tokens, TOTP secrets, external auth identifiers, stored credentials, and AI provider API keys to be stored in plaintext within revision history records. This was due to the revision snapshot logic sometimes bypassing the sanitization pipeline, resulting in disclosure of confidential information. The weakness corresponds to CWE-200 (Information Exposure) and CWE-312 (Cleartext Storage of Sensitive Information).", "risk_and_exploitability": "With a CVSS score of 6.5 the vulnerability carries a medium\u2011high impact. The EPSS score is below 1%, indicating a low likelihood of exploitation, and the problem is not listed in CISA's KEV catalog. The likely attack vector is through normal use of the API to create or update items that trigger revisions. An attacker with access to revision data\u2014such as an insider or a compromised user\u2014could obtain plaintext tokens and secrets."}}}}, "created": "2026-04-10T08:53:02.946918+00:00", "updated": "2026-04-15T16:00:07.803431+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}