Home > Vulnerability Database > CVE-2025-64746

Mend.io Vulnerability Database

CVE-2025-64746

Good to know:

Date: November 13, 2025

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. Version 11.13.0 fixes the issue.

Severity Score

4.6

Related Resources (5)

Url: https://github.com/directus/directus

Url: https://github.com/directus/directus/commit/84d7636969083387164ce5d2fd15a65e11e2d0b8

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64746

Url: https://github.com/directus/directus/security/advisories/GHSA-9x5g-62gj-wqf2

Url: https://www.mend.io/vulnerability-database/CVE-2025-64746

Severity Score

4.6

Weakness Type (CWE)

Improper Access Control

CWE-284

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version directus - 11.13.0;https://github.com/directus/directus.git - v11.13.0

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64746

Good to know:

Date: November 13, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?