CVE-2026-35442

Name of the Vulnerable Software and Affected Versions Directus (affected versions not specified)

Description Aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus users. This occurs because the masking logic does not account for the nested structure of aggregate query results, causing it to skip concealed fields and return their raw values. An authenticated attacker can harvest static API tokens for all users, including administrators, enabling authentication as any account without credentials. TOTP seeds stored in directus users can also be extracted, allowing an attacker to bypass two-factor authentication for any account.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.