CVE-2025-30351LOW≥ 11.0.7, < 13.0.02025-03-26
CVE-2025-30351 [LOW] CWE-672 Suspended Directus user can continue to use session token to access API
Suspended Directus user can continue to use session token to access API
### Summary
Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.
### Details
There is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. Ri
ghsaosv