๐Ÿ” CVE Alert

CVE-2026-61835

HIGH 7.7

Directus: SSRF Protection Bypass via 0.0.0.0 in File Import

CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, the SSRF protection on Directus's file-import-from-URL feature can be bypassed using the address 0.0.0.0 because api/src/request/is-denied-ip.ts treats 0.0.0.0 as a keyword for local interfaces but never blocks the literal address itself. On Linux and macOS, connecting to 0.0.0.0 reaches localhost, so an authenticated user with file-upload rights can make the server fetch internal services through the /files/import endpoint and retrieve the response as a downloadable file. This issue is fixed in version 12.0.0.

CWE CWE-918
Vendor directus
Product directus
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for directus directus

Be the first to know when new high vulnerabilities affecting directus directus are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

directus / directus
< 12.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/directus/directus/security/advisories/GHSA-j5h6-vqc3-phqh github.com: https://github.com/directus/directus/pull/27606 github.com: https://github.com/directus/directus/commit/f75b25fa44b05c6022b20f231c20bc6e50f021d7 github.com: https://github.com/directus/directus/releases/tag/v12.0.0