{"data":{"id":"e0c797be-cca9-4dde-83e9-b0c842b0a342","title":"GHSA-qqmv-5p3g-px89: Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite","summary":"Directus has a security flaw in its TUS resumable upload endpoint (a feature that lets users upload files in chunks) that lets any authenticated user overwrite any file in the system by specifying its UUID (unique identifier), bypassing row-level permissions (rules like 'users can only edit their own files'). This can lead to permanent data loss and allow low-privilege users to replace important files with malicious content.","solution":"Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-qqmv-5p3g-px89","publishedAt":"2026-04-04T06:11:18.000Z","cveId":"CVE-2026-35412","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["directus@< 11.16.1 (fixed: 11.16.1)"],"affectedVendors":[],"affectedVendorsRaw":["Directus"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-04T06:11:18.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}