GHSA-mvv8-v4jj-g47j: Directus: cleartext storage exposes AI API keys

Published April 4, 2026

CISO Take

If your organization runs Directus with AI integrations (OpenAI, Anthropic, Google), any authenticated user or service account with read access to directus_revisions or flow logs can steal your AI provider API keys in plaintext — right now, without any exploitation complexity. Upgrade to Directus 11.17.0 immediately and rotate every AI API key, user token, and 2FA secret that was stored while running an affected version. Treat this as a credential breach response until keys are confirmed rotated.

Risk Assessment

Despite a CVSS of 6.5 (Medium), the practical risk is higher for AI-integrated deployments. The attack requires only valid low-privilege credentials — no technical expertise needed, just a SELECT query on directus_revisions. The blast radius includes account takeover (stolen tokens bypass MFA), unauthorized AI API usage (cost harvesting, data exfiltration through AI services), and lateral movement via stolen auth credentials. Organizations running Directus as a headless CMS backing AI workflows face compounded exposure: the leaked API keys grant access to external AI systems far beyond the Directus instance itself.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
directus	npm	< 11.17.0	`11.17.0`

Do you use directus? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

PATCH: Upgrade to Directus 11.17.0 immediately — this is the only complete fix.
ROTATE CREDENTIALS: Revoke and reissue all AI provider API keys (OpenAI, Anthropic, Google) stored in Directus user profiles — assume they are compromised. Also rotate user tokens and reset 2FA secrets for all accounts.
AUDIT: Query directus_revisions for records containing 'ai_openai_api_key', 'ai_anthropic_api_key', 'ai_google_api_key', 'token', 'tfa_secret', 'auth_data', 'credentials' to determine exposure scope and timeframe.
REVIEW FLOW LOGS: Inspect Directus Flows execution logs for the same fields — purge sensitive entries after review.
ACCESS REVIEW: Identify all accounts with read access to directus_revisions and directus_flows_operation and audit their activity logs.
DETECTION: Alert on anomalous API usage for any rotated keys during the investigation window.

Classification

Data Leakage Data Extraction Auth Bypass API Framework Agent AML.T0012 - Valid Accounts AML.T0034 - Cost Harvesting AML.T0037 - Data from Local System AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.5 - Data security for AI systems

NIST AI RMF

GOVERN-6.2 - AI security risks and impacts are evaluated and addressed MANAGE-2.2 - Mechanisms are in place for identifying and addressing issues in AI system performance

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Technical Details

NVD Description

### Summary Directus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. Additionally, the same sensitive fields were missing from the redaction list used when Directus Flows logged operation payloads involving the `directus_users` collection. ### Impact Any user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including: - `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials` - `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key` This could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users. ### Affected code paths 1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded. 2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta. 3. **Flows** The payload redaction list used when writing flow logs was missing `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`, and the AI API key fields, causing these to be written unredacted into flow execution data.

Exploitation Scenario

A low-privilege internal user or compromised service account authenticates to Directus and queries: SELECT snapshot FROM directus_revisions WHERE collection = 'directus_users'. The returned JSON blobs contain plaintext values for ai_openai_api_key, ai_anthropic_api_key, token, and tfa_secret for every user whose record was ever revised. The adversary extracts the OpenAI API key and immediately begins unauthorized inference calls — either for cost harvesting or to exfiltrate data via a model the victim org has fine-tuned. Simultaneously, the stolen token grants persistent API access without triggering MFA, enabling lateral movement across the Directus instance and any connected systems. The entire attack requires no special tooling, no vulnerability exploit, and leaves minimal forensic trace beyond normal API access logs.