Moderate severityNVD Advisory· Published Nov 13, 2025· Updated Nov 13, 2025

Directus has Improper Permission Handling on Deleted Fields

CVE-2025-64746

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	< 11.13.0	11.13.0

Affected products

Monospace/Directusv5
Range: < 11.13.0

Patches

84d763696908

Merge from fork (#26110)

https://github.com/directus/directusBrainslugNov 4, 2025via ghsa

commit

2 files changed · +24 −0

api/src/services/fields.ts+19 −0 modified

@@ -839,6 +839,25 @@ export class FieldsService {
 					},
 					{ emitEvents: false },
 				);
+
+				// cleanup permissions for deleted field
+				const permissionRows: { id: number; collection: string; fields: string }[] = await trx
+					.select('id', 'collection', 'fields')
+					.from('directus_permissions')
+					.whereRaw('?? = ? AND ?? LIKE ?', ['collection', collection, 'fields', '%' + field + '%']);
+
+				if (permissionRows.length > 0) {
+					for (const permissionRow of permissionRows) {
+						const newFields = permissionRow['fields']
+							.split(',')
+							.filter((v) => v !== field)
+							.join(',');
+
+						await trx('directus_permissions')
+							.update('fields', newFields.length > 0 ? newFields : null)
+							.where('id', '=', permissionRow['id']);
+					}
+				}
 			});
 
 			const actionEvent = {

.changeset/pretty-owls-shout.md+5 −0 added

@@ -0,0 +1,5 @@
+---
+'@directus/api': patch
+---
+
+Added permissions cleanup on fields

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9x5g-62gj-wqf2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-64746ghsaADVISORY
github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8ghsax_refsource_MISCWEB
github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000