directus is vulnerable to Sensitive Information Disclosure. The vulnerability exists because users with read access to the password field in directus_users
can extract the argon2 password hashes by brute-forcing the export functionality combined with a _starts_with
filter, which allows an attacker to enumerate the password.