-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis of the commit patch 22be460c76957708d67fdd52846a9ad1cbb083fb clearly indicates that the vulnerability was a result of insufficient permission checks in the handler for manual flows. The file api/src/flows.ts was modified within the FlowManager class to introduce these missing checks. The vulnerable function is an anonymous handler function defined inside what is likely the setupTriggers method (based on code context). This handler is invoked when a flow.trigger.manual event is dispatched. The patch rectifies the vulnerability by adding logic to verify the user's authentication status (via the accountability object) and their authorization (permissions for the target collection and items) before permitting the flow to execute. The absence of these checks in the vulnerable version is what allowed unauthenticated users to trigger flows they were not authorized to use, which is the core of the reported vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| directus | npm | < 11.9.0 | 11.9.0 |