CVE-2026-35408: Directus: Missing Cross-Origin Opener Policy

April 4, 2026 (updated April 7, 2026)

Directus’s Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord).

References

github.com/advisories/GHSA-8m32-p958-jg99
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-8m32-p958-jg99
nvd.nist.gov/vuln/detail/CVE-2026-35408

Code Behaviors & Features

Detect and mitigate CVE-2026-35408 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →