CVE-2026-26185: Directus Vulnerable to User Enumeration via Password Reset Timing Attack
(updated )
A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.
References
- github.com/advisories/GHSA-jr94-gj3h-c8rf
- github.com/directus/directus
- github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
- github.com/directus/directus/pull/26485
- github.com/directus/directus/releases/tag/v11.14.1
- github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
- nvd.nist.gov/vuln/detail/CVE-2026-26185
Code Behaviors & Features
Detect and mitigate CVE-2026-26185 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →