CVE-2022-26969

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.7.0

Description The default settings of CORS ORIGIN and CORS ENABLED in Directus are true, which could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed. This is due to the default value for the CORS ENABLED and CORS ORIGIN configuration being very permissive.

Recommendations For versions prior to 9.7.0, configure the CORS environment variables to match your project's usage, rather than leaving them at the permissive defaults. Update to version 9.7.0 or later, where the default values for CORS have been changed to be less permissive.