CVE-2026-35412
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
Description
## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on `directus_files`, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. ## Impact - **Arbitrary file overwrite:** Any authenticated user with basic TUS upload permissions can overwrite any file in `directus_files` by UUID, regardless of row-level permission rules. - **Permanent data loss:** The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content. - **Metadata corruption:** The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in `directus_files`, a low-privilege user could replace them with malicious content. ## Workaround Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).
How to fix CVE-2026-35412
To remediate CVE-2026-35412, upgrade the affected package to a fixed version below.
- —upgrade to 11.16.1 or later
Is CVE-2026-35412 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 11.16.1