Directus Overlapping Policy Vulnerability in Update Action Allows Unintended Field Access

A vulnerability exists in Directus versions 11.0.0 prior to 11.1.2, allowing users to update unintended fields due to overlapping access policies. In scenarios where two policies for the 'update' action intersect but grant access to different fields, the system fails to properly validate permissions against the specific items. This flaw enables users to update a combination of fields permitted by each policy, regardless of the item's context. For instance, a user could update 'field_a' for item ID 1 and 'field_b' for item ID 2 simultaneously, even if such updates were not individually authorized. This issue could inadvertently affect sensitive fields, such as passwords, in user accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized updates of fields, including the password field in user accounts.

Remediation

Users are advised to upgrade to Directus version 11.1.2 or later.