CVE-2026-35412

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1

Description Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks on directus files, but does not validate item-level access to the specific file being replaced. This bypasses row-level permission rules. As a result, an attacker can overwrite any file in directus files by UUID, leading to potential data loss and metadata corruption. Privilege escalation is possible if admin-owned files are stored in directus files.

Recommendations Update to version 11.16.1 or later. As a workaround, disable TUS uploads by setting TUS ENABLED=false if resumable uploads are not required.