CVE-2026-26185
📋 TL;DR
This timing-based user enumeration vulnerability in Directus allows attackers to determine whether specific usernames/emails exist in the system by measuring response time differences in password reset requests. Attackers can reliably enumerate valid user accounts, which is the first step in targeted attacks. All Directus instances before version 11.14.1 are affected.
💻 Affected Systems
- Directus
📦 What is this software?
Directus by Monospace
⚠️ Risk & Real-World Impact
Worst Case
Attackers build a complete user directory, then conduct targeted phishing, credential stuffing, or social engineering attacks against identified users, potentially leading to account compromise.
Likely Case
Attackers enumerate valid user accounts to target with password spraying or credential stuffing attacks, increasing success rates for account takeover.
If Mitigated
With rate limiting and monitoring, attackers may still enumerate some users but detection would occur before significant damage.
🎯 Exploit Status
Exploitation requires timing measurements but tools can automate this easily. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.14.1
Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
Restart Required: Yes
Instructions:
1. Backup your Directus instance. 2. Update Directus to version 11.14.1 or later using your package manager. 3. Restart the Directus service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement Rate Limiting
allAdd strict rate limiting to password reset endpoints to make timing attacks impractical
Web Application Firewall Rules
allConfigure WAF to detect and block rapid password reset attempts
🧯 If You Can't Patch
- Implement network-level rate limiting on password reset endpoints
- Monitor for unusual patterns of password reset requests and investigate
🔍 How to Verify
Check if Vulnerable:
Check Directus version. If version is below 11.14.1, the system is vulnerable.Check Version:
Check package.json or run: npm list directus (if using npm) or check the admin panel versionVerify Fix Applied:
Confirm Directus version is 11.14.1 or higher and test password reset timing differences are eliminated.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Unusual patterns of password reset requests
Network Indicators:
- Rapid sequential requests to password reset endpoint with varying parameters
SIEM Query:
source="directus-logs" AND (event="password_reset_request" OR endpoint="/auth/password/reset") | stats count by src_ip, user_agent | where count > 10