Information Disclosure Vulnerability in Directus API Dashboard by Directus
CVE-2025-53886

Currently unrated

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-53886?

Directus, a platform for managing SQL database content in real-time via APIs, has a vulnerability in its logging mechanism. Versions from 9.0.0 up to 11.8.0 log detailed information about incoming requests when using the WebHook trigger, which includes sensitive data such as access and refresh tokens stored in cookies. This poses a risk where malicious administrators with access to these logs could exploit the information to hijack user sessions within the token's validity period. The vulnerability has been addressed in version 11.9.0 of Directus.

References

https://github.com/directus/directus/commit/22be460c76957...

https://github.com/directus/directus/pull/25354

https://github.com/directus/directus/releases/tag/v11.9.0

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025