Johnhillegass

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 9.23.3 **Description** The issue concerns the improper redaction of the `directus refresh token` from log outputs, allowing it to be used to impersonate users without their permission. This can lead to issues with accountability and non-repudiation, as actions taken in the application can no longer be confidently attributed to the logged-in user. Examples of potential misuse include a disgruntled employee deleting data or a mischievous engineer uploading questionable content under the guise of an unsuspecting boss. **Recommendations** For versions prior to 9.23.3, update to version 9.23.3 to resolve the issue. As a temporary workaround, consider restricting access to log outputs to minimize the risk of exploitation. Avoid using the `directus refresh token` in the affected API endpoint `/auth/refresh` until the issue is resolved.