CVE-2026-35411

MEDIUM4.3EPSS 0.02%

Directus: Open Redirect in Admin 2FA Setup Page

Published: 4/4/2026Modified: 4/7/2026

Description

### Summary Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the `redirect` parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. ### Credits Discovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)

Affected packages (1)

npm/directusfrom 0, < 11.16.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35411
PATCHhttps://github.com/directus/directus
WEBhttps://github.com/directus/directus/security/advisories/GHSA-q75c-4gmv-mg9x