Directus patches concealed-field leaks via aggregate queries
TL;DR — Directus aggregate queries can leak values from fields marked conceal, letting low-privileged authenticated users extract API tokens and 2FA secrets if they have read access to affected collections.
What happened
Directus is a real-time API and app dashboard for managing SQL database content. CVE-2026-35442 describes a High-severity issue where Directus’ conceal masking is applied correctly to standard reads, but fails for aggregate query responses: when min/max aggregates are combined with groupBy, concealed fields can be returned as raw database values instead of masked placeholders.
The CVE record explicitly calls out sensitive impact: authenticated users with read access to the affected collection can extract concealed values including static API tokens and two-factor authentication (TOTP) secrets from directus_users.
| Item | Source value |
|---|---|
| Affected product | directus |
| Affected versions | < 11.17.0 |
| Severity | CVSS v3.1 8.1 (High) |
| Attack precondition | Authenticated user with read access to impacted collections |
This is operationally notable because “masking” features are often treated as a last-line safety control for secrets in admin platforms. When masking is bypassable via alternative query shapes (aggregates, filters, exports), it becomes a quiet privilege boundary break that can turn ordinary read permissions into account takeover material.
Who is impacted
- Deployments running
directusversions reported as affected in the CVE record (< 11.17.0). - Instances that rely on
concealto protect sensitive fields (notably withindirectus_users). - Environments where non-admin users can run aggregate queries (
min,max) and usegroupByagainst collections that include concealed fields.
| Source | Affected versions | Fixed version (as stated by source) |
|---|---|---|
| CVE record | < 11.17.0 | 11.17.0 |
What to do now
- Follow vendor remediation guidance and apply the patched release.
"This vulnerability is fixed in 11.17.0."
- Inventory where
directusis deployed and identify which environments expose aggregate query capabilities to non-admin roles (including service accounts). - Review Directus role/permission rules for any collections containing concealed secrets (especially
directus_users) and confirm whether those roles can perform aggregates withgroupBy. - Treat affected instances as potential secret-exposure events:
- review access logs for unexpected aggregate queries targeting sensitive collections
- rotate sensitive values stored in concealed fields (e.g., static API tokens) if compromise is suspected
- consider re-enrolling 2FA / rotating TOTP seeds where your operational model supports it (based on how Directus is used in your environment)
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.