CVE-2026-35441

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0

Description Directus GraphQL endpoints ('/graphql' and '/graphql/system') did not prevent repeated execution of expensive relational queries through GraphQL aliasing. An authenticated user could exploit this to cause CPU, memory, and I/O exhaustion, potentially degrading or crashing the service. The issue stemmed from a lack of resolver deduplication within a single request, allowing an attacker to multiply database load linearly with the number of aliases used. Rate limiting was disabled by default, exacerbating the problem. Any authenticated user, even with minimal permissions, could trigger this condition.

Recommendations Update to version 11.17.0 or later.