CVE-2026-21886
Received Received - Intake
Improper Authorization in OpenCTI GraphQL Causes Data Deletion

Publication date: 2026-03-17

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21886
EUVD
EUVD-2026-12578
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
citeum opencti to 6.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CWE-566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-21886 is a moderate severity vulnerability in the OpenCTI platform versions prior to 6.9.1. It involves the GraphQL mutation called "IndividualDeletionDeleteMutation," which is intended to delete individual entity objects.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because this mutation lacks proper validation to ensure that the object being deleted is contextually related to the mutation. As a result, attackers can misuse this mutation to delete unrelated and sensitive objects such as analysis reports, incident response cases, and threat actor records.'}, {'type': 'paragraph', 'content': 'This issue is caused by missing or incorrect authorization checks and improper control over which object attributes can be modified, allowing attackers with low privileges to perform unauthorized deletions remotely without user interaction.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to delete sensitive and unrelated data within the OpenCTI platform, such as analysis reports and threat intelligence records.

Such unauthorized deletions affect the availability of critical data, potentially disrupting cyber threat intelligence operations and incident response efforts.

However, the vulnerability does not impact confidentiality or integrity of the data, only availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves misuse of the GraphQL mutation "IndividualDeletionDeleteMutation" in OpenCTI versions prior to 6.9.1, allowing unauthorized deletion of unrelated sensitive objects.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, monitor GraphQL API requests for calls to the "IndividualDeletionDeleteMutation" mutation, especially those that attempt to delete objects outside the expected scope.'}, {'type': 'paragraph', 'content': 'You can use network traffic inspection tools or API logging to identify suspicious mutation requests.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep on API logs to find mutation calls: grep -i 'IndividualDeletionDeleteMutation' /path/to/opencti/api/logs.log"}, {'type': 'list_item', 'content': "Using tcpdump or Wireshark to capture and filter GraphQL HTTP POST requests containing the mutation name: tcpdump -A -s 0 'tcp port 4000 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'IndividualDeletionDeleteMutation'"}, {'type': 'list_item', 'content': 'Querying OpenCTI logs or monitoring tools for unusual deletion events or unexpected deletions of analysis reports, incident cases, or threat actor records.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade OpenCTI to version 6.9.1 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider restricting access to the GraphQL API to trusted users only, especially limiting users with privileges to perform deletions.

Implement network-level controls such as firewall rules or API gateways to block or monitor suspicious mutation requests.

Review and tighten authorization policies to ensure that users cannot perform deletions outside their intended scope.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21886. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart