Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to improper handling of user data in the "Log to Console" operation within Directus Flows, which allows an attacker with admin privileges to log and access sensitive data of other users during create or update events...

CVE-2025-53889

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53885

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...

GHSA-7CVF-PXGP-42FC Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows

Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without...

Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows

Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without...

GHSA-F24X-RM6G-3W5V Directus tokens are not redacted in flow logs, exposing session credentials to all admin

Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them...

Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged

Summary When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Impact Malicious admins can log sensitive data from other users when they are created or updated. Workarounds Avoid...

CVE-2025-53889 Directus missing permission checks for manual trigger Flows

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53889 Directus missing permission checks for manual trigger Flows

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53886

Directus vulnerability CVE-2025-53886 affects Directus with Flows using the WebHook trigger prior to version 11.9.0. The issue logs all incoming request details, including sensitive data such as access and refresh tokens stored in cookies, enabling a user with log access (malicious admins) to hij...

PT-2023-32964 · Unknown +3 · Isolated-Vm +3

Name of the Vulnerable Software and Affected Versions: vm2 versions up to 3.9.19 Directus versions prior to 10.6.0 Description: The issue allows attackers to bypass Promise handler sanitization in vm2, enabling them to escape the sandbox and execute arbitrary code. This specifically affects the...