PT-2026-30329 · Npm · Directus
Published
2026-04-04
·
Updated
2026-04-04
·
CVE-2026-35412
CVSS v3.1
7.1
High
| AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Summary
Directus' TUS resumable upload endpoint (
/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.Impact
- Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in
directus filesby UUID, regardless of row-level permission rules. - Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
- Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata.
Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in
directus files, a low-privilege user could replace them with malicious content.
Workaround
Disable TUS uploads by setting
TUS ENABLED=false if resumable uploads are not required.Credit
This vulnerability was discovered and reported by bugbunny.ai.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Directus