Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.

INFO

Published Date :

2025-07-14T23:35:56.448Z

Last Modified :

2025-07-15T13:41:18.865Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-53886 vulnerability.

Vendors Products
Directus
  • Directus
Monospace
  • Directus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53886.

URL Resource
https://github.com/directus/directus/commit/22be460c76957708d67fdd52846a9ad1cbb083fb cve-icon cve-icon
https://github.com/directus/directus/pull/25354 cve-icon cve-icon
https://github.com/directus/directus/releases/tag/v11.9.0 cve-icon cve-icon
https://github.com/directus/directus/security/advisories/GHSA-f24x-rm6g-3w5v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact