CVE-2026-35409: Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

April 4, 2026 (updated April 7, 2026)

A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.

References

github.com/advisories/GHSA-wv3h-5fx7-966h
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h
nvd.nist.gov/vuln/detail/CVE-2026-35409

Code Behaviors & Features

Detect and mitigate CVE-2026-35409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →