VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-xk1e-dcny-akgb

Essentials
Severities (13)
References (7)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xk1e-dcny-akgb
Aliases	CVE-2025-27089 GHSA-99vm-5v2h-h6r6
Summary	Directus allows updates to non-allowed fields due to overlapping policies If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any of the policies. E.g. have one policy allowing update access to `field_a` if the `id == 1` and one policy allowing update access to `field_b` if the `id == 2`. The user with both these policies is allowed to update both `field_a` and `field_b` for the items with ids `1` and `2`.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-863	Incorrect Authorization

System	Score	Found at
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2025-27089
cvssv3.1	5.4	https://github.com/directus/directus
generic_textual	MODERATE	https://github.com/directus/directus
cvssv3.1	5.4	https://github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2
generic_textual	MODERATE	https://github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2
cvssv3.1	5.4	https://github.com/directus/directus/releases/tag/v11.1.2
generic_textual	MODERATE	https://github.com/directus/directus/releases/tag/v11.1.2
ssvc	Track	https://github.com/directus/directus/releases/tag/v11.1.2
cvssv3.1	5.4	https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
generic_textual	MODERATE	https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
ssvc	Track	https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2025-27089
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-27089

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-27089
		https://github.com/directus/directus
		https://github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2
		https://github.com/directus/directus/releases/tag/v11.1.2
CVE-2025-27089		https://nvd.nist.gov/vuln/detail/CVE-2025-27089
GHSA-99vm-5v2h-h6r6		https://github.com/advisories/GHSA-99vm-5v2h-h6r6
GHSA-99vm-5v2h-h6r6		https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/directus/directus

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/directus/directus/commit/a7ea67783b060d0d6fc964d71c2d4575d5eee4e2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/directus/directus/releases/tag/v11.1.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-19T17:18:55Z/ Found at https://github.com/directus/directus/releases/tag/v11.1.2

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-19T17:18:55Z/ Found at https://github.com/directus/directus/security/advisories/GHSA-99vm-5v2h-h6r6

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-27089

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.3834
EPSS Score	0.00172
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:23:20.842627+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-27089.yml	38.6.0