GHSA-mvv8-v4jj-g47j: Directus: Sensitive fields exposed in revision history

April 4, 2026 (updated April 7, 2026)

Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.

References

github.com/advisories/GHSA-mvv8-v4jj-g47j
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j

Code Behaviors & Features

Detect and mitigate GHSA-mvv8-v4jj-g47j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →