CVE-2026-35411

Directus is vulnerable to an Open Redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation.

This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain.

Discovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)