CVE-2026-39942

描述

## Summary A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the `filename_disk` parameter. ## Details The `PATCH /files/{id}` endpoint accepts a user-controlled `filename_disk` parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as `uploaded_by` to obscure the tampering. ## Impact - **Unauthorized File Overwrite**: Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption. - **Remote Code Execution**: If the storage backend is shared with the extensions location, attackers can deploy malicious extensions that execute arbitrary code when loaded. - **Data Integrity Compromise**: Files can be tampered with or replaced without visible indication in the application interface. ## Mitigation The `filename_disk` parameter should be treated as a server-controlled value. Uniqueness of storage paths must be enforced server-side, and `filename_disk` should be excluded from the fields users are permitted to update directly.

受影響套件(1)

• npm/directusfrom 0, < 11.17.0

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-39942
• PATCHhttps://github.com/directus/directus
• WEBhttps://github.com/directus/directus/releases/tag/v11.17.0
• WEBhttps://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95