CVE-2026-39943

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.

References

• https://github.com/directus/directus/releases/tag/v11.17.0
• https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j