Main Vulnerability Database Vulnerabilities #VU127111

Improper privilege management in Directus - CVE-2025-24353

Published: January 23, 2025 / Updated: April 23, 2026

Vulnerability identifier: #VU127111

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-24353

CWE-ID: CWE-269

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper privilege management in the Share feature when creating a share link for an item. A remote user can specify an arbitrary role to disclose sensitive information.

Only instances that use the share feature and have fields hidden from certain roles are affected.

How to mitigate CVE-2025-24353

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg

Improper privilege management in Directus - CVE-2025-24353

Detailed vulnerability description

How to mitigate CVE-2025-24353

Sources

Please verify you're human