Directus Manual Trigger Flow Permission Bypass Vulnerability

A vulnerability exists in Directus versions 9.12.0 through 11.9.0, where manual trigger Flows do not properly validate user permissions for the items included in the Flow's payload. This lack of validation can allow unauthorized execution of tasks within the Flow, potentially on behalf of the user triggering it. The issue arises because these manual Flows do not check if the user has read access to 'directus_flows' or the relevant collections or items. As a result, bad actors could activate these Flows without authentication or the necessary access rights.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of manual Flows, allowing users to perform actions on collections or items without proper permissions. This could be misused to manipulate data or trigger operations that the user is not authorized to execute.

Reproduction

To reproduce this vulnerability, create a manual trigger Flow in Directus versions 9.12.0 prior to 11.9.0. When the Flow is triggered, it will execute without checking if the user has the appropriate permissions for the items in the payload, allowing unauthorized actions to be performed.

Remediation

Users can upgrade to Directus version 11.9.0, which addresses this vulnerability by implementing the necessary permission checks. For those unable to upgrade, a workaround is to manually enforce permission checks for read access to Flows and the relevant collections or items.