CVE-2026-35408

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0

Description Directus SSO login pages were missing the Cross-Origin-Opener-Policy (COOP) HTTP response header. This allowed a malicious cross-origin window to access and manipulate the window object of the Directus login page. An attacker could intercept and redirect the OAuth authorization flow to a malicious OAuth client, potentially gaining access to the victim's authentication provider account (e.g., Google, Discord). A successful attack could lead to unauthorized access to the victim's linked identity provider account or account takeover of the Directus instance.

Recommendations Upgrade to Directus version 11.17.0 or later. As a workaround, configure your reverse proxy or web server to add the Cross-Origin-Opener-Policy: same-origin HTTP response header to all Directus responses.