CVE-2025-61781
Authorization Bypass in OpenCTI Workspace Deletion Mutation
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencti | opencti | to 6.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-566 | The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61781 is a high-severity vulnerability in OpenCTI versions prior to 6.8.1 involving an Insecure Direct Object Reference (IDOR) in a GraphQL mutation called "WorkspacePopoverDeletionMutation." This mutation allows authenticated users to delete workspace-related objects like dashboards and investigation cases but lacks proper authorization checks to verify if the user owns the targeted resources. An attacker can exploit this by providing the UUID of another user's workspace content, causing unauthorized deletion of that user's entire workspace. [1]
How can this vulnerability impact me? :
This vulnerability can lead to irreversible loss of critical user data such as personalized dashboards with specific views, metrics, and configurations, as well as investigation cases containing sensitive evidence, timelines, and analyst notes essential for incident response and forensic analysis. It disrupts user operations, halts or delays investigations, and causes operational disruptions, especially for teams relying on shared dashboards or cases. Additionally, it can be used as a privilege escalation vector to target high-value users like administrators or SOC analysts by deleting their dashboards or cases, potentially sabotaging detection capabilities, concealing malicious activities, or delaying incident response. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring GraphQL API requests for the use of the mutation "WorkspacePopoverDeletionMutation" with UUIDs that do not belong to the authenticated user. Network or application logs can be inspected for suspicious deletion requests targeting other users' workspace objects. Specific commands depend on your environment, but for example, using tools like curl or GraphQL clients to query logs or intercept API calls can help. Example detection commands might include searching logs for mutation calls: grep 'WorkspacePopoverDeletionMutation' /path/to/logs or using network monitoring tools to filter GraphQL requests containing this mutation. However, no exact commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenCTI to version 6.8.1 or later, where the vulnerability has been patched. Until the upgrade is applied, restrict access to the GraphQL API to trusted users only, monitor for suspicious deletion activities, and consider implementing additional authorization checks or network-level controls to limit exploitation. Avoid using the vulnerable mutation if possible. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized deletion of critical user data, including dashboards and investigation cases containing sensitive evidence and analyst notes. This unauthorized deletion can disrupt incident response and forensic analysis, potentially leading to loss of important data required for compliance with standards like GDPR and HIPAA. Such data loss and operational disruption may result in non-compliance with data protection and incident management requirements mandated by these regulations. [1]