CVE-2026-39943: Directus: Sensitive fields exposed in revision history

April 4, 2026 (updated April 9, 2026)

Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.

References

github.com/advisories/GHSA-mvv8-v4jj-g47j
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j
nvd.nist.gov/vuln/detail/CVE-2026-39943

Code Behaviors & Features

Detect and mitigate CVE-2026-39943 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →