CVE-2025-64746

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0

Description Directus does not properly remove field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table is not cleared. This creates a security gap where a newly created field with the same name inherits outdated permission entries, potentially granting unintended access to data. This is especially concerning in multi-tenant or production environments where field names are reused.

Recommendations Update to version 11.13.0 or later.

Exploit

Fix

Improper Access Control

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-863

Related Identifiers

CVE-2025-64746

GHSA-9X5G-62GJ-WQF2

Affected Products

Directus

CVE-2025-64746

Weakness Enumeration

Related Identifiers

Affected Products

References · 11