GHSA-7cvf-pxgp-42fc

Suggest an improvement
Source
https://github.com/advisories/GHSA-7cvf-pxgp-42fc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7cvf-pxgp-42fc/GHSA-7cvf-pxgp-42fc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7cvf-pxgp-42fc
Aliases
Published
2025-07-15T15:36:59Z
Modified
2025-07-15T16:12:27.586620Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
Details

Summary

Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating.

Impact

Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s).

Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to directus_flows or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks.

Workarounds

Users have to implement permission checks for read access to Flows and read access to relevant collection/items.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2025-07-15T00:15:23Z",
    "github_reviewed_at": "2025-07-15T15:36:59Z",
    "cwe_ids": [
        "CWE-285",
        "CWE-287"
    ]
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.9.0