Insufficient Authorization Issue in Directus API Management Tool
CVE-2025-53889
Currently unrated
What is CVE-2025-53889?
Directus, a real-time API and app dashboard for managing SQL database content, has a vulnerability in its manual trigger Flows due to insufficient authorization checks. Specifically, from version 9.12.0 to 11.8.0, users can execute manual trigger Flows without proper permission validation on the payload provided. This flaw allows attackers to potentially run tasks on behalf of users without authentication, exploiting the lack of checks for read access to both the Flows and the associated collections or items. To mitigate this issue, users are recommended to upgrade to version 11.9.0, which addresses the vulnerability. Alternatively, it is advised to implement local permission checks for accessing Flows and collections.