CVE-2025-61781
Unknown Unknown - Not Provided
Authorization Bypass in OpenCTI Workspace Deletion Mutation

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61781
EUVD
EUVD-2025-206242
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencti opencti to 6.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61781 is a high-severity vulnerability in OpenCTI versions prior to 6.8.1 involving an Insecure Direct Object Reference (IDOR) in a GraphQL mutation called "WorkspacePopoverDeletionMutation." This mutation allows authenticated users to delete workspace-related objects like dashboards and investigation cases but lacks proper authorization checks to verify if the user owns the targeted resources. An attacker can exploit this by providing the UUID of another user's workspace content, causing unauthorized deletion of that user's entire workspace. [1]

Impact Analysis

This vulnerability can lead to irreversible loss of critical user data such as personalized dashboards with specific views, metrics, and configurations, as well as investigation cases containing sensitive evidence, timelines, and analyst notes essential for incident response and forensic analysis. It disrupts user operations, halts or delays investigations, and causes operational disruptions, especially for teams relying on shared dashboards or cases. Additionally, it can be used as a privilege escalation vector to target high-value users like administrators or SOC analysts by deleting their dashboards or cases, potentially sabotaging detection capabilities, concealing malicious activities, or delaying incident response. [1]

Detection Guidance

Detection involves monitoring GraphQL API requests for the use of the mutation "WorkspacePopoverDeletionMutation" with UUIDs that do not belong to the authenticated user. Network or application logs can be inspected for suspicious deletion requests targeting other users' workspace objects. Specific commands depend on your environment, but for example, using tools like curl or GraphQL clients to query logs or intercept API calls can help. Example detection commands might include searching logs for mutation calls: grep 'WorkspacePopoverDeletionMutation' /path/to/logs or using network monitoring tools to filter GraphQL requests containing this mutation. However, no exact commands are provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenCTI to version 6.8.1 or later, where the vulnerability has been patched. Until the upgrade is applied, restrict access to the GraphQL API to trusted users only, monitor for suspicious deletion activities, and consider implementing additional authorization checks or network-level controls to limit exploitation. Avoid using the vulnerable mutation if possible. [1]

Compliance Impact

The vulnerability allows unauthorized deletion of critical user data, including dashboards and investigation cases containing sensitive evidence and analyst notes. This unauthorized deletion can disrupt incident response and forensic analysis, potentially leading to loss of important data required for compliance with standards like GDPR and HIPAA. Such data loss and operational disruption may result in non-compliance with data protection and incident management requirements mandated by these regulations. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart