SB20260423136 - Multiple vulnerabilities in Directus
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-64748)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in concealed fields of the directus_users collection when processing search operations. A remote user can search concealed sensitive fields to disclose sensitive information.
Matching records are returned with masked values, allowing confirmation that searched values such as tokens, TFA secrets, and password hashes exist.
2) Incorrect authorization (CVE-ID: CVE-2025-64746)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to incorrect authorization in field-level permissions handling when creating a new field with the same name as a previously deleted field. A remote user can create a field with a reused name to disclose sensitive information and modify data.
User interaction is required for exploitation.
3) Observable discrepancy (CVE-ID: CVE-2025-64749)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to observable discrepancy in the Directus REST API /items/{collection} endpoint when handling requests for existing and non-existing collections. A remote user can send a request for a collection name to disclose sensitive information.
Different error messages reveal whether a collection exists even when access to that collection is not authorized.
4) Input validation error (CVE-ID: CVE-2025-64747)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the context of a user's session.
The vulnerability exists due to improper input validation in the Block Editor interface when processing JSON content containing HTML elements. A remote user can send a specially crafted PATCH request with malicious block editor content to execute arbitrary script in the context of a user's session.
User interaction is required to view the affected content, and exploitation requires the upload files and edit item permissions.
Remediation
Install update from vendor's website.
References
- https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
- https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2
- https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
- https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf