cbcvebase.
CVE-2025-64746
published 2025-11-13

CVE-2025-64746: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level…

PriorityP429medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.16%
5.9th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
directusdirectus< 11.13.011.13.0
directusdirectus>= 0 < 11.13.011.13.0
monospacedirectus< 11.13.011.13.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.