Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

INFO

Published Date :

2025-11-13T20:54:42.351Z

Last Modified :

2025-11-13T21:19:01.907Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64746 vulnerability.

Vendors Products
Directus
  • Directus
Monospace
  • Directus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64746.

URL Resource
https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8 cve-icon cve-icon
https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact