CVE-2025-53889

Name of the Vulnerable Software and Affected Versions Directus versions 9.12.0 through 11.8.9

Description Directus is a real-time API and App dashboard for managing SQL database content. Flows with a manual trigger do not validate whether the user triggering the Flow has permissions to the items provided as payload to the Flow. This can lead to the Flow executing potential tasks on an attacker's behalf without authentication. Bad actors could execute the manual trigger Flows without authentication or access rights to the said collection(s) or item(s). Manual trigger Flows do not currently validate if the user has read access to directus flows or to the relevant collection/items.

Recommendations Update to version 11.9.0 or later. Implement permission checks for read access to Flows. Implement permission checks for read access to relevant collection/items.