CVE-2026-35413

Name of the Vulnerable Software and Affected Versions Directus (affected versions not specified)

Description When GRAPHQL INTROSPECTION=false is configured, Directus blocks standard GraphQL introspection queries but the /graphql/system endpoint's server specs graphql resolver returns an equivalent SDL representation of the schema. This bypasses introspection controls, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. Administrators setting GRAPHQL INTROSPECTION=false had a false sense of security, as schema information remained accessible via the SDL endpoint.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.