greprules.io
Sign inSubmit rule
Explore/cve-2026-35409-directus-missing-oauth-validation

CVE-2026-35409: Directus Missing Oauth Validation

A request authorization check verifies primary user, role, or administrative presence but fails to subsequently inspect and validate OAuth constraints (such as scope, audience, or origin/transport) when an OAuth token is present. This allows users or tokens with inappropriate scopes or mismatched audiences to bypass intended logical barriers. OAuth propertie

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0typescript
greprules fetch cve-2026-35409-directus-missing-oauth-validation --engine opengrep

Description

A request authorization check verifies primary user, role, or administrative presence but fails to subsequently inspect and validate OAuth constraints (such as scope, audience, or origin/transport) when an OAuth token is present. This allows users or tokens with inappropriate scopes or mismatched audiences to bypass intended logical barriers. OAuth propertie

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
115 downloads0 direct115 via packs
· 0 stars · Trust score 61How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata