CVE-2026-35411

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1

Description Directus is susceptible to an open redirect issue through the redirect parameter on the /admin/tfa-setup page. An administrator who has not configured Two-Factor Authentication (2FA) may be redirected to an attacker-controlled URL after completing the 2FA setup process, as the application lacks validation of the redirect destination. This could be leveraged in phishing attacks targeting Directus administrators.

Recommendations Update to version 11.16.1 or later.