CVE-2026-26185

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.14.1

Description A timing-based user enumeration issue exists in the password reset functionality. Providing an invalid reset url parameter results in differing response times – approximately 500ms – between existing and non-existing users, allowing for reliable user enumeration. The password reset endpoint attempts to implement timing protection, but URL validation occurs before this protection is applied, enabling the identification of valid user accounts based on response times. This issue compromises user privacy and could facilitate targeted phishing attacks by confirming account existence.

Recommendations Update to version 11.14.1 or later.