AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-wxwm-3fxv-mrvx: Directus: GraphQL Schema SDL Disclosure Setting

mediumvulnerability

security

Source: GitHub Advisory DatabaseApril 4, 2026CVE-2026-35413

Summary

Directus had a security gap where turning off GraphQL introspection (a setting that hides database schema details from users) didn't actually work completely. Even though standard introspection queries were blocked, a different endpoint called `/graphql/system` still returned the same schema information in SDL format (schema definition language, a text representation of a database structure), allowing unauthenticated users to see what data collections and fields existed in the system.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

April 4, 2026

Classification

Attack SophisticationTrivial

Affected Packages

directus@< 11.16.1 (fixed: 11.16.1)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-wxwm-3fxv-mrvx

First tracked: April 4, 2026 at 08:00 AM

Classified by LLM (prompt v3) · confidence: 95%