CVE-2025-30351: Suspended Directus user can continue to use session token to access API
(updated )
Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-30351 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →