Adelinn

**Name of the Vulnerable Software and Affected Versions** Directus versions 9.23.0 through 10.5.3 **Description** The issue arises from the improper handling of ` in` and ` nin` operators in Directus, where empty arrays are evaluated as valid. This leads to Broken Access Control, as rules intended to pass only when a field matches any of the given values fail to function correctly. For instance, an expression like `{"role": {" in": $CURRENT USER.some field}}` would evaluate to true, allowing the request to pass even when it should not. This can result in users gaining access to unauthorized resources. **Recommendations** For Directus versions 9.23.0 through 10.5.3, update to version 10.6.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ` in` and ` nin` operators in filter rules until the update can be applied. Additionally, review and adjust validation rules to ensure they are not relying on the faulty behavior of these operators.