{"api_version":"1","generated_at":"2026-07-16T16:22:30+00:00","cve":"CVE-2026-61836","urls":{"html":"https://cve.report/CVE-2026-61836","api":"https://cve.report/api/cve/CVE-2026-61836.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-61836","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-61836"},"summary":{"title":"Directus: Authorization-dependent response served from unsegmented cache key","description":"Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-15 15:16:48","updated_at":"2026-07-15 20:49:59"},"problem_types":["CWE-524","CWE-639","CWE-524 CWE-524: Use of Cache Containing Sensitive Information","CWE-639 CWE-639: Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/directus/directus/commit/7ba4efb97525d3af33570537c76e44baea767f13","name":"https://github.com/directus/directus/commit/7ba4efb97525d3af33570537c76e44baea767f13","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/directus/directus/security/advisories/GHSA-c6w9-5g5j-jh2p","name":"https://github.com/directus/directus/security/advisories/GHSA-c6w9-5g5j-jh2p","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/directus/directus/releases/tag/v12.0.0","name":"https://github.com/directus/directus/releases/tag/v12.0.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/directus/directus/pull/27707","name":"https://github.com/directus/directus/pull/27707","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-61836","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-61836","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"directus","product":"directus","version":"affected < 12.0.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-61836","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-15T16:30:53.938992Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-15T16:32:52.619Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"directus","vendor":"directus","versions":[{"status":"affected","version":"< 12.0.0"}]}],"descriptions":[{"lang":"en","value":"Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-524","description":"CWE-524: Use of Cache Containing Sensitive Information","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-639","description":"CWE-639: Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T14:17:21.034Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/directus/directus/security/advisories/GHSA-c6w9-5g5j-jh2p","tags":["x_refsource_CONFIRM"],"url":"https://github.com/directus/directus/security/advisories/GHSA-c6w9-5g5j-jh2p"},{"name":"https://github.com/directus/directus/pull/27707","tags":["x_refsource_MISC"],"url":"https://github.com/directus/directus/pull/27707"},{"name":"https://github.com/directus/directus/commit/7ba4efb97525d3af33570537c76e44baea767f13","tags":["x_refsource_MISC"],"url":"https://github.com/directus/directus/commit/7ba4efb97525d3af33570537c76e44baea767f13"},{"name":"https://github.com/directus/directus/releases/tag/v12.0.0","tags":["x_refsource_MISC"],"url":"https://github.com/directus/directus/releases/tag/v12.0.0"}],"source":{"advisory":"GHSA-c6w9-5g5j-jh2p","discovery":"UNKNOWN"},"title":"Directus: Authorization-dependent response served from unsegmented cache key"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-61836","datePublished":"2026-07-15T14:17:21.034Z","dateReserved":"2026-07-10T20:28:17.511Z","dateUpdated":"2026-07-15T16:32:52.619Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-15 15:16:48","lastModifiedDate":"2026-07-15 20:49:59","problem_types":["CWE-524","CWE-639","CWE-524 CWE-524: Use of Cache Containing Sensitive Information","CWE-639 CWE-639: Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-15T16:30:53.938992Z","id":"CVE-2026-61836","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"61836","Ordinal":"1","Title":"Directus: Authorization-dependent response served from unsegment","CVE":"CVE-2026-61836","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"61836","Ordinal":"1","NoteData":"Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role, roles, admin, app, and policies. Directus share tokens and anonymous requests can both reduce to user null, so different shares or anonymous clients requesting the same URL and query can receive a permission-filtered cached response without permission re-evaluation. This issue is fixed in version 12.0.0.","Type":"Description","Title":"Directus: Authorization-dependent response served from unsegment"}]}}}