{"id":"GHSA-mvv8-v4jj-g47j","summary":"Directus: Sensitive fields exposed in revision history","details":"### Summary\n\nDirectus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.\n\n### Impact\nAny user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:\n- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`\n- `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key`\n\nThis could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.\n\n### Affected code paths\n\n1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.\n2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.","aliases":["CVE-2026-39943"],"modified":"2026-04-09T19:19:00.341858Z","published":"2026-04-04T06:12:07Z","database_specific":{"severity":"MODERATE","cwe_ids":["CWE-200","CWE-312"],"nvd_published_at":"2026-04-09T17:16:29Z","github_reviewed":true,"github_reviewed_at":"2026-04-04T06:12:07Z"},"references":[{"type":"WEB","url":"https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39943"},{"type":"PACKAGE","url":"https://github.com/directus/directus"},{"type":"WEB","url":"https://github.com/directus/directus/releases/tag/v11.17.0"}],"affected":[{"package":{"name":"directus","ecosystem":"npm","purl":"pkg:npm/directus"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"11.17.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mvv8-v4jj-g47j/GHSA-mvv8-v4jj-g47j.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}