4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22032

CVE-2026-22032: Directus has open redirect in SAML

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the RelayState parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22032

CVE-2026-22032:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
directus	npm	< 11.14.0	11.14.0
@directus/api	npm	< 32.1.1	32.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security advisory and the associated commit dad9576ea9362905cc4de8028d3877caff36dc23 clearly indicates an open redirect vulnerability in the SAML authentication flow of Directus. The vulnerability exists because the RelayState parameter in the SAML callback endpoint was not being validated against an allowlist of domains. The patch introduces a check using the isLoginRedirectAllowed function within the createSAMLAuthRouter function in the file api/src/auth/drivers/saml.ts. This function is responsible for creating the SAML authentication routes, including the vulnerable callback handler. The absence of this validation in versions prior to the patch is what makes the createSAMLAuthRouter function vulnerable, as it constructs the logic that improperly handles the RelayState parameter, leading to the open redirect.

Vulnerable functions

createSAMLAuthRouter

api/src/auth/drivers/saml.ts

The function `createSAMLAuthRouter` sets up the SAML authentication routes. The vulnerability lies in the callback handler for this route, which processes the `RelayState` parameter. Before the patch, the `RelayState` parameter, which can be controlled by an attacker, was used for redirection without proper validation. This allowed an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon successful or failed authentication. The patch adds a call to `isLoginRedirectAllowed` to validate the `RelayState` URL against an allowlist, mitigating the open redirect vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22032: Directus has open redirect in SAML

CVE-2026-22032:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.3

4.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2026-22032: Directus has open redirect in SAML

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI