CVE-2025-27089 — Incorrect Authorization in Directus

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 61.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Monospace Directus Directus API Directus

Timeline

PublishedFeb 19

Description

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to `field_a` if the `id == 1` and one policy allowing update access to `field_b` if the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶npmdirectus/api22.0.0 — 23.1.0

▶npmdirectus/directus11.0.0 — 11.1.2

▶NVDmonospace/directus11.0.0 — 11.1.2

▶CVEListV5directus/directus>= 11.0.0, < 11.1.2

🔴Vulnerability Details

OSV

Directus allows updates to non-allowed fields due to overlapping policies↗2025-02-19

▶

GHSA

Directus allows updates to non-allowed fields due to overlapping policies↗2025-02-19

▶