CVE-2025-27089

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.1.2

Description The issue allows update access to unintended fields due to overlapping policies for the update action, potentially impacting the password field for user accounts. In affected versions, if there are two overlapping policies that allow access to different fields, the user is allowed to update the superset of fields allowed by any of the policies. For example, having one policy allowing update access to field a if the id == 1 and one policy allowing update access to field b if the id == 2, the user with both policies can update both field a and field b for the items with ids 1 and 2. The solution involves evaluating permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by returning a flag that indicates if the user has access to that field, using the same case/when mechanism that is used for stripping out non-permitted fields.

Recommendations To resolve the issue, upgrade to version 11.1.2 or later, as this version addresses the vulnerability and there are no known workarounds.