Field-Level Permission Leak in Directus API Management Tool
CVE-2025-64746

4.6MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-64746?

Directus, an advanced API and application dashboard for SQL database content management, has a significant issue concerning field-level permissions. Prior to version 11.13.0, when a field is deleted from a collection, its associated permissions entry remains unchanged in the permissions table. This oversight can lead to a dangerous security situation; if another field is subsequently created with the same name, it will automatically inherit the outdated permissions linked to the deleted field. This unintended consequence creates an opportunity for unauthorized access, especially in environments where administrators frequently repurpose field names, under the false assumption that all permissions would have been reset. Version 11.13.0 effectively addresses this vulnerability, ensuring that permissions are correctly managed and mitigated.

Affected Version(s)

directus < 11.13.0

References

https://github.com/directus/directus/security/advisories/...

x_refsource_CONFIRM

https://github.com/directus/directus/commit/84d7636969083...

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

JSON