Main Vulnerability Database Vulnerabilities #VU127105

Improper access control in Directus - CVE-2024-6534

Published: August 27, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127105

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-6534

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote user to modify preset assignments for another user.

The vulnerability exists due to improper access control in the PATCH /presets/{id} endpoint when handling preset update requests. A remote user can send a specially crafted PATCH request to modify preset assignments for another user.

User interaction is required for the modified preset to be rendered when the victim visits the affected view.

How to mitigate CVE-2024-6534

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86

Improper access control in Directus - CVE-2024-6534

Detailed vulnerability description

How to mitigate CVE-2024-6534

Sources

Please verify you're human