CVE-2025-24353

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.2.0

Description The issue allows a typical user to specify an arbitrary role when sharing an item, enabling them to use a higher-privileged role to view fields they should not be able to see. This affects instances that use the share feature and have a specific roles hierarchy and fields not visible to certain roles.

Recommendations For versions prior to 11.2.0, update to version 11.2.0 or later, which contains a patch to resolve the issue. As a temporary workaround, consider restricting the use of the share feature to admins only, or limit the fields that can be shared to those visible to the sharing user.