Dzevs

**Name of the Vulnerable Software and Affected Versions** Directus versions 9.12.0 through 11.4.0 **Description** Directus is a real-time API and App dashboard for managing SQL database content. When a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. **Recommendations** To resolve the issue, update to version 11.5.0 or later. As a temporary workaround, consider disabling the "Webhook" trigger in Flows that use the "Data of Last Operation" response body to minimize the risk of exploitation. Restrict access to sensitive data and operational logs to prevent unauthorized exposure. Avoid using the `env` variable and other sensitive parameters in the affected API endpoint until the issue is resolved.