Erik Van Oosbree

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 9.16.0 **Description** The issue allows users with read access to the `password` field in `directus users` to extract argon2 password hashes by brute forcing the export functionality combined with a ` starts with` filter. This enables the enumeration of password hashes. However, taking over accounts is unlikely with current hardware unless the hashes can be reversed. **Recommendations** For versions prior to 9.16.0, upgrade to version 9.16.0 or later to patch the issue. As a temporary workaround for users unable to upgrade, ensure that no user has `read` access to the `password` field in `directus users`.