Directus exposes a PATCH endpoint that accepts a filename_disk parameter supplied by the client. By setting this value to the storage location of another user’s file, an attacker can overwrite that file’s contents and alter metadata such as uploaded_by. The flaw represents a path traversal and broken access control weakness, allowing arbitrary data tampering and potential forgery of audit records. The underlying weakness is a lack of proper authorization checks and input validation for the filename_disk field.

All releases of Directus older than version 11.17.0, including 11.16.x and earlier, are affected. The vulnerability exists in the API and dashboard components that manage file storage. Users and administrators must verify whether their deployed instances belong to this affected range and plan an upgrade accordingly.

The CVSS score of 8.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers likely need API access and sufficient privileges to send a crafted PATCH request to /files/{id}. Authentication is not explicitly stated but it is inferred that an authenticated session is required, as the request targets a protected CRUD endpoint. Successful exploitation would enable overwriting arbitrary files, compromising data integrity and potentially enabling broader system compromise.