CVE-2025-30351

Name of the Vulnerable Software and Affected Versions Directus versions 10.10.0 through 11.4.x

Description The issue allows a suspended user to access the API using a token generated in session auth mode, despite their suspended status. This occurs due to a missing check in the verifySessionJWT function to verify that a user is still active and allowed to access the API. A suspended user can continue to use the session token obtained before suspension until it expires.

Recommendations For versions 10.10.0 through 11.4.x, update to version 11.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the API for suspended users by implementing additional checks on user status until the patch can be applied.