cvedb.io
CVE-2025-53889
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-07-15T00:15:23.997 · Last modified 2026-06-17T09:39:05.000

Summary

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter secu

Affected products

monospace — directus

Does this affect you?

Add your gear to cvedb and we'll alert you only when monospace ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.