CVE-2025-53886: Directus tokens are not redacted in flow logs, exposing session credentials to all admin

When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-53886 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →