{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39943", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.820Z", "datePublished": "2026-04-09T16:12:09.963Z", "dateUpdated": "2026-04-10T14:06:06.440Z"}, "containers": {"cna": {"title": "Directus exposes sensitive fields in revision history", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"}, {"name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"version": "< 11.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:12:09.963Z"}, "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "source": {"advisory": "GHSA-mvv8-v4jj-g47j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:06:00.499034Z", "id": "CVE-2026-39943", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:06.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:06:00.499034Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:03.620Z"}}], "cna": {"title": "Directus exposes sensitive fields in revision history", "source": {"advisory": "GHSA-mvv8-v4jj-g47j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "directus", "product": "directus", "versions": [{"status": "affected", "version": "< 11.17.0"}]}], "references": [{"url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "name": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/directus/directus/releases/tag/v11.17.0", "name": "https://github.com/directus/directus/releases/tag/v11.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:12:09.963Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39943", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:06:06.440Z", "dateReserved": "2026-04-07T22:40:33.820Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T16:12:09.963Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0."}], "id": "CVE-2026-39943", "lastModified": "2026-04-09T17:16:29.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:29.960", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/releases/tag/v11.17.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "directus", "source": "cna", "vendor": "directus"}, "product": "directus", "vendor": "directus"}], "analysis": {"en": {"generated_at": "2026-04-09T17:22:13.385173+00:00", "value": {"mitigation_remediation": ["Upgrade Directus to version\u00a011.17.0 or later"], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects installations of Directus running any version prior to 11.17.0. The vendor\u2019s own advisory states that patching to Directus\u00a011.17.0 or later resolves the issue. All Directus deployments need to verify their current version and upgrade if they are below the fixed release.", "description_and_impact": "Directus automatically records changes to items in a revision table. A missing sanitization step allowed sensitive data such as user tokens, two\u2011factor secrets, external auth identifiers, credentials, and AI provider API keys to be written to revision records in plain text. An attacker who can read revision history can therefore obtain confidential authentication material and potentially compromise user accounts. The weakness is identified as CWE\u2011200 (Information Exposure) and CWE\u2011312 (Cleartext Storage of Sensitive Information).", "risk_and_exploitability": "The CVSS score of 6.5 classifies the vulnerability as medium severity. Although no EPSS score is reported and the vulnerability is not listed in the CISA KEV catalog, it remains an exploitable information\u2011disclosure risk. The likely attack vector is via the web API or dashboard where authorized or even partially\u2011privileged users can view revision history, allowing them to download or view the plaintext data stored in the database. Because revision records are normally accessible to roles with data read permissions, a determined attacker who gains such access can exploit the flaw without needing additional privileges."}}}}, "created": "2026-04-10T08:53:02.946918+00:00", "updated": "2026-04-10T09:32:15.261553+00:00", "vendors": ["directus", "directus$PRODUCT$directus"]}