Vulnerability Database

318,003

Total vulnerabilities in the database

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.

Published: Dec 9, 2024
Updated: Nov 19, 2025
CVE: CVE-2024-54151
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
monospace / directus	11.0.0	11.3.0

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo