CVE-2023-38503

Name of the Vulnerable Software and Affected Versions Directus versions 10.3.0 through 10.4.x

Description The issue concerns the improper checking of permission filters when using GraphQL subscriptions, resulting in unauthorized users receiving events they should not have access to. This affects any collection, including the directus users collection, which is configured with such a permissions filter by default. The problem arises when permissions rely on the $CURRENT USER variable for filtering.

Recommendations For versions 10.3.0 through 10.4.x, update to version 10.5.0 to resolve the issue. As a temporary workaround for affected versions, consider disabling GraphQL subscriptions to minimize the risk of exploitation.