CVE-2024-39896

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.13.0

Description The issue allows enumeration of existing SSO users in the instance when relying on SSO providers in combination with local authentication. This is possible because if an email address exists in Directus and belongs to a known SSO provider, it will throw a "helpful" error that the user belongs to another provider.

Recommendations For versions prior to 10.13.0, update to version 10.13.0 to resolve the issue. As a temporary workaround, consider disabling local login by setting the environment variable AUTH DISABLE DEFAULT to "true" when only using SSO for authentication.