What is the severity of CVE-2026-35412?

CVE-2026-35412 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-35412?

No known public exploits are currently available for CVE-2026-35412.

Is there a patch available for CVE-2026-35412?

No official patches have been released yet for CVE-2026-35412. Consider implementing workarounds or mitigations.

CVE-2026-35412 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-35412?

## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on `directus_files`, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. ## Impact - **Arbitrary file overwrite:** Any authenticated user with basic TUS upload permissions can overwrite any file in `directus_files` by UUID, regardless of row-level permission rules. - **Permanent data loss:** The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content. - **Metadata corruption:** The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in `directus_files`, a low-privilege user could replace them with malicious content. ## Workaround Disable TUS uploads by setting `TUS_ENABLED=false` if resumable uploads are not required. ## Credit This vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).

Summary

Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path.

Impact

Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.
Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.
Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

Workaround

Disable TUS uploads by setting TUS_ENABLED=false if resumable uploads are not required.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Summary

Impact

Arbitrary file overwrite: Any authenticated user with basic TUS upload permissions can overwrite any file in directus_files by UUID, regardless of row-level permission rules.

Permanent data loss: The victim file's original stored bytes are deleted from storage and replaced with attacker-controlled content.

Metadata corruption: The victim file's database record is updated with the attacker's filename, type, and size metadata. Privilege escalation potential: If admin-owned files (e.g., application assets, templates) are stored in directus_files, a low-privilege user could replace them with malicious content.

CVE-2026-35412

Summary

Impact

Workaround

Credit

Ready for Agentic Automated Testing?

CVE-2026-35412

Summary

Impact

Workaround

Credit