CVE-2025-53889Improper Authentication in Directus

CWE-287Improper AuthenticationCWE-285Improper Authorization3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 77.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Monospace DirectusDirectus
Timeline
PublishedJul 15

Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authen

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

npmdirectus/directus< 11.9.0
NVDmonospace/directus9.12.011.9.0
CVEListV5directus/directus>= 9.12.0, < 11.9.0

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows2025-07-15
GHSA
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows2025-07-15