Main Vulnerability Database SB2025012352

SB2025012352 - Improper privilege management in Directus

Published: January 23, 2025 Updated: April 23, 2026

Security Bulletin ID SB2025012352

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper privilege management (CVE-ID: CVE-2025-24353)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper privilege management in the Share feature when creating a share link for an item. A remote user can specify an arbitrary role to disclose sensitive information.

Only instances that use the share feature and have fields hidden from certain roles are affected.

Remediation

Install update from vendor's website.

References

https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg