CVE-2026-35408 — Directus is a real-time API and App dashboard for managing SQL database…
Image via opengraph.githubassets.com
🚨 CVE-2026-35408 Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Direct
Missing Cross-Origin Opener Policy
github.com
What This Means For You
- Affects Google ecosystem — review Chrome/Android/GCP deployments.
- New vulnerability disclosed — verify if your stack is exposed.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35408 | Misconfiguration | Directus versions prior to 11.17.0, missing Cross-Origin-Opener-Policy (COOP) HTTP response header on SSO login pages. |
| CVE-2026-35408 | Auth Bypass | Directus versions prior to 11.17.0, exploitation of missing COOP header to intercept and redirect OAuth authorization flow. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158228 |
| Published | April 07, 2026 at 01:26 UTC |
| Original Link | https://github.com/directus/directus/security/advisories/... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us to stay ahead.
Share