CVE-2026-35412
Summary
Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.
Impact
- Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in
directus_filesby UUID, regardless of row-level permission rules. - Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
- Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata.
Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.
Workaround
Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.
Credit
This vulnerability was discovered and reported by bugbunny.ai.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89, https://nvd.nist.gov/vuln/detail/CVE-2026-35412, https://github.com/directus/directus
Basic Information
