CVE-2023-38503
MEDIUMDirectus 10.3.0-10.5.0 - Unauthorized Data Exposure via GraphQL Subscription Permission Bypass
Title source: llmDescription
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98
Patch x_refsource_misc
https://github.com/directus/directus/pull/19155
Scores
CVSS v3
5.7
EPSS
0.0014
EPSS Percentile
34.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-863
Status
published
Products (2)
monospace/directus
10.3.0 - 10.5.0
npm/directus
10.3.0 - 10.5.0npm
Published
Jul 25, 2023
Tracked Since
Feb 18, 2026