Cyber Posture

CVE-2025-61781

High

Published: 05 January 2026

Published
05 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0019 40.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization…

more

checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the missing ownership verification in the WorkspacePopoverDeletionMutation.

AC-24 Access Control Decisions partial match
prevent

Provides capability to make access control decisions based on ownership attributes, mitigating bypass through supply of unauthorized UUIDs.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict low-privilege users from deleting workspaces they do not own, complementing proper authorization enforcement.

Security SummaryAI

CVE-2025-61781 affects OpenCTI, an open source platform for managing cyber threat intelligence knowledge and observables, in versions prior to 6.8.1. The vulnerability resides in the GraphQL mutation "WorkspacePopoverDeletionMutation," which enables deletion of workspace-related objects such as dashboards and investigation cases. This mutation lacks proper authorization checks to verify the requester's ownership of the targeted resources, allowing unauthorized actions based on CWE-285 (Improper Authorization), CWE-566 (Authorization Bypass Through User-Controlled Key), CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), and CWE-863 (Incorrect Authorization). The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high availability impact with low integrity impact.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying the active UUID of a workspace owned by another user, the attacker bypasses ownership validation, causing the mutation to execute successfully and resulting in the complete unauthorized deletion of the targeted workspace.

The GitHub Security Advisory at https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c details the issue and confirms that upgrading to OpenCTI version 6.8.1 resolves the vulnerability by implementing the necessary authorization checks.

Details

CWE(s)
CWE-285CWE-566CWE-915CWE-863

Affected Products

citeum
opencti
≤ 6.8.1

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthorized deletion of workspaces and related objects (dashboards, investigation cases) in OpenCTI via authorization bypass in GraphQL mutation, causing high availability impact (CVSS A:H) consistent with application exploitation for DoS (T1499.004) and data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References