Description

Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.

INFO

Published Date :

2026-02-12T21:54:13.901Z

Last Modified :

2026-02-13T15:59:06.336Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26185 vulnerability.

Vendors Products
Directus
  • Directus
Monospace
  • Directus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26185.

URL Resource
https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a cve-icon cve-icon
https://github.com/directus/directus/pull/26485 cve-icon cve-icon
https://github.com/directus/directus/releases/tag/v11.14.1 cve-icon cve-icon
https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact