#VU127111 Improper privilege management in Directus - CVE-2025-24353
Published: January 23, 2025 / Updated: April 23, 2026
Vulnerability identifier: #VU127111
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-24353
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Directus
Directus
Software vendor:
Directus
Directus
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper privilege management in the Share feature when creating a share link for an item. A remote user can specify an arbitrary role to disclose sensitive information.
Only instances that use the share feature and have fields hidden from certain roles are affected.
Remediation
Install security update from vendor's website.