CVE-2025-30353: Directus's webhook trigger flows can leak sensitive data

Describe the Bug

In Directus, when a Flow with the “Webhook” trigger and the “Data of Last Operation” response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data.

This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse.

To Reproduce

Steps to Reproduce:

1. Create a Flow in Directus with:
   • Trigger: Webhook
   • Response Body: Data of Last Operation
2. Add a condition that is likely to fail.
3. Trigger the Flow with any input data that will fail the condition.
4. Observe the API response, which includes sensitive information like:
   • Environmental variables ($env)
   • Authorization headers
   • User details under $accountability
   • Previous operational data.

Expected Behavior: In the event of a ValidationError, the API response should only contain relevant error messages and details, avoiding the exposure of sensitive data.

Actual Behavior: The API response includes sensitive information such as:

• Environment keys (FLOWS_ENV_ALLOW_LIST)
• User accountability (role, user, etc.)
• Operational logs (current_payments, $last), which might contain private details.