CVE-2026-39942

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0

Description The Directus file management API contains a broken access control issue that allows authenticated users to overwrite files belonging to other users by manipulating the filename disk parameter in the PATCH /files/{id} endpoint. By setting this value to match the storage path of another user's file, an attacker can overwrite the file's content and manipulate metadata fields like uploaded by to hide the tampering. This can lead to unauthorized file overwrites, potential remote code execution if the storage backend is shared with the extensions location, and data integrity compromise.

Recommendations Update to version 11.17.0 or later.