CVE-2025-53886 MEDIUM

CVE-2025-53886: Directus doesn't redact tokens in Flow logs

Vendor Directus

Product directus

Weakness CWE-200 · Info exposure

Published July 14, 2025

Last update July 15, 2025

View on NVD All CVEs

CVSS base score

4.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue.

Key dates

02Disclosure timeline

July 14, 2025 CVE published

July 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53886

Related vulnerabilities

CVE-2025-53886: Directus doesn't redact tokens in Flow logs

01Description

02Disclosure timeline

03References

04Related CVE