CVE-2026-26185: Clockwatching: Enumerating Directus Users via Timing Side-Channels

Clockwatching: Enumerating Directus Users via Timing Side-Channels Vulnerability ID: CVE-2026-26185 CVSS Score: 5.3 Published: 2026-02-12 A logic error in the Directus password reset flow allows attackers to enumerate valid email addresses by measuring server response times. By manipulating the 'reset_url' parameter, attackers can bypass the application's anti-enumeration timing protections. TL;DR Directus implemented a 'stall' mechanism to hide whether a user exists during password resets. However, they validated the 'reset_url' parameter after the user lookup but before the stall for existing users. This created a 500ms timing discrepancy: existing users return an error immediately (fast), while non-existing users trigger the artificial delay (slow). ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-203 (Observable Discrepancy) Attack Vector : Network CVSS : 5.3 (Medium) Impact : Information Disclosure (User Enumeration) Exploit Status : Proof of Concept (Trivial) Affected Compon