CVE-2026-22032
📋 TL;DR
An open redirect vulnerability in Directus SAML authentication allows attackers to redirect users to malicious external websites after authentication. This affects all Directus instances using SAML authentication prior to version 11.14.0. The vulnerability requires no authentication to exploit.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Users could be redirected to phishing sites that steal credentials or deliver malware, potentially leading to account compromise or system infection.
Likely Case
Attackers redirect users to phishing pages to harvest credentials or display malicious content, potentially compromising user accounts.
If Mitigated
With proper user awareness training and browser security controls, users might recognize suspicious redirects, limiting credential theft.
🎯 Exploit Status
Exploitation requires crafting a malicious SAML authentication request with a malicious RelayState parameter. No authentication is required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.14.0
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc
Restart Required: Yes
Instructions:
1. Update Directus to version 11.14.0 or later. 2. Restart the Directus service. 3. Verify the patch is applied by checking the version and testing SAML authentication redirects.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication until patching is complete
Modify Directus configuration to disable SAML authentication
Implement WAF Rules
allAdd web application firewall rules to block malicious RelayState parameters
Configure WAF to block requests with external URLs in RelayState parameter
🧯 If You Can't Patch
- Implement strict monitoring for suspicious redirect patterns in authentication logs
- Educate users about phishing risks and verify URLs before entering credentials
🔍 How to Verify
Check if Vulnerable:
Check if Directus version is below 11.14.0 and SAML authentication is enabled. Test by attempting SAML authentication with a malicious RelayState parameter containing an external URL.Check Version:
Check Directus admin interface or run: directus versionVerify Fix Applied:
After updating to 11.14.0 or later, test SAML authentication with external URLs in RelayState parameter - these should be blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- SAML authentication requests with external URLs in RelayState parameter
- Unexpected redirects to external domains after authentication
Network Indicators:
- HTTP 302 redirects to unexpected external domains from /auth/login/saml/callback endpoint
SIEM Query:
source="directus" AND (url="*/auth/login/saml/callback*" AND (status=302 OR redirect_to CONTAINS "http://" OR redirect_to CONTAINS "https://"))