CVE-2026-35410

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1

Description Directus is a real-time API and App dashboard for managing SQL database content. An open redirect exists in the login redirection logic because the isLoginRedirectAllowed function incorrectly identifies certain malformed URLs as internal, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains after successful authentication. A parser differential exists between the server-side URL validation logic and how browsers interpret URL path segments containing backslashes, leading to misclassification of URLs. This can be exploited in SSO authentication flows to redirect users to attacker-controlled sites after authentication.

Recommendations Update to Directus version 11.16.1 or later.