GHSA-qqmv-5p3g-px89: Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
highvulnerability
security
Summary
Directus has a security flaw in its TUS resumable upload endpoint (a feature that lets users upload files in chunks) that lets any authenticated user overwrite any file in the system by specifying its UUID (unique identifier), bypassing row-level permissions (rules like 'users can only edit their own files'). This can lead to permanent data loss and allow low-privilege users to replace important files with malicious content.
Solution / Mitigation
Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 4, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Affected Packages
directus@< 11.16.1 (fixed: 11.16.1)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-qqmv-5p3g-px89
First tracked: April 4, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 72%