Information Disclosure Vulnerability in Directus API Dashboard by Directus
CVE-2025-53886
4.5MEDIUM
What is CVE-2025-53886?
Directus, a platform for managing SQL database content in real-time via APIs, has a vulnerability in its logging mechanism. Versions from 9.0.0 up to 11.8.0 log detailed information about incoming requests when using the WebHook trigger, which includes sensitive data such as access and refresh tokens stored in cookies. This poses a risk where malicious administrators with access to these logs could exploit the information to hijack user sessions within the token's validity period. The vulnerability has been addressed in version 11.9.0 of Directus.
Affected Version(s)
directus >= 9.0.0, < 11.9.0