Monospace Directus vulnerabilities

CVE-2026-26185 [MEDIUM] CWE-203 CVE-2026-26185: Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a t Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user en

CVE-2026-22032 [MEDIUM] CWE-601 CVE-2026-22032: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11 Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flo

CVE-2025-64749 [MEDIUM] CWE-203 CVE-2025-64749: Directus is a real-time API and App dashboard for managing SQL database content. An observable diffe Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they a

CVE-2025-64748 [MEDIUM] CWE-201 CVE-2025-64748: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration att

CVE-2025-64747 [MEDIUM] CWE-20 CVE-2025-64747: Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) r

CVE-2025-64746 [MEDIUM] CWE-284 CVE-2025-64746: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11 Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field

CVE-2025-55746 [HIGH] CWE-73 CVE-2025-55746: Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to befo Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with

CVE-2025-53887 [MEDIUM] CWE-200 CVE-2025-53887: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information

CVE-2025-53886 [MEDIUM] CWE-200 CVE-2025-53886: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hi

CVE-2025-53885 [MEDIUM] CWE-532 CVE-2025-53885: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from o

CVE-2025-53889 [MEDIUM] CWE-287 CVE-2025-53889: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to

CVE-2025-30353 [HIGH] CWE-200 CVE-2025-30353: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes envir

CVE-2025-30351 [MEDIUM] CWE-672 CVE-2025-30351: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still

CVE-2025-30350 [MEDIUM] CWE-770 CVE-2025-30350: Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/stor Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a burst of HEAD requests. Some tools use Directus to s

CVE-2025-30352 [MEDIUM] CWE-200 CVE-2025-30352: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. The searchabl

CVE-2025-30225 [MEDIUM] CWE-770 CVE-2025-30225: Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/stor Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a burst of malformed transformations. When making many

CVE-2025-27089 [MEDIUM] CWE-863 CVE-2025-27089: Directus is a real-time API and App dashboard for managing SQL database content. In affected version Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any

CVE-2025-24353 [MEDIUM] CWE-269 CVE-2025-24353: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11 Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feat

CVE-2024-54151 [HIGH] CWE-200 CVE-2024-54151: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any D

CVE-2024-54128 [MEDIUM] CWE-80 CVE-2024-54128: Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in