CVE-2026-35412

Description

## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on `directus_files`, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. ## Impact - **Arbitrary file overwrite:** Any authenticated user with basic TUS upload permissions can overwrite any file in `directus_files` by UUID, regardless of row-level permission rules. - **Permanent data loss:** The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content. - **Metadata corruption:** The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in `directus_files`, a low-privilege user could replace them with malicious content. ## Workaround Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).

Affected packages (1)

• npm/directusfrom 0, < 11.16.1

CVSS scores

References (3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-35412
• PATCHhttps://github.com/directus/directus
• WEBhttps://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89