关键漏洞信息 漏洞标题 Missing permission checks for manual trigger Flows 影响版本 >= v9.12.0 修复版本 11.9.0 漏洞描述 Summary: Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. This can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Impact: Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to or to the relevant collection/items. Workarounds: Users have to implement permission checks for read access to Flows and read access to relevant collection/items. 严重性 Severity: Moderate (6.5 / 10) CVSS v3 base metrics: - Attack vector: Network - Attack complexity: Low - Privileges required: None - User interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: None CVE ID CVE-2025-53889 弱点 CWE-287