CVE-2026-39943

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0

Description Directus stores revision records in directus revisions when items are created or updated. The revision snapshot code did not consistently use the prepareDelta sanitization pipeline, allowing sensitive fields like user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys to be stored in plaintext within revision records. This could allow a user or service account with read access to directus revisions to retrieve sensitive information, potentially leading to account takeover or unauthorized use of third-party API keys.

Recommendations Update to version 11.17.0 or later.