GHSA-mvv8-v4jj-g47j: Directus: Sensitive fields exposed in revision history
mediumvulnerability
securityprivacy
Source: GitHub Advisory DatabaseApril 4, 2026
Summary
Directus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.
Classification
Attack Type
PII LeakageData Extraction
Attack SophisticationTrivial
Impact (CIA+S)
confidentiality
Affected Vendors
OpenAIAnthropicGoogle
Affected Packages
directus@< 11.17.0 (fixed: 11.17.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-mvv8-v4jj-g47j
First tracked: April 4, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 85%