CVE-2026-35412: Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite

April 4, 2026 (updated April 7, 2026)

Directus’ TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., “users can only update their own files”) are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

References

github.com/advisories/GHSA-qqmv-5p3g-px89
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-qqmv-5p3g-px89
nvd.nist.gov/vuln/detail/CVE-2026-35412

Code Behaviors & Features

Detect and mitigate CVE-2026-35412 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →