Cyber Posture

CVE-2026-21886

Medium

Published: 17 March 2026

Published
17 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0014 33.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation…

more

can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly mandates enforcement of access authorizations in the GraphQL API to block misuse of IndividualDeletionDeleteMutation for deleting unrelated sensitive objects like analysis reports.

SI-10 Information Input Validation partial match
prevent

Requires validation of GraphQL mutation inputs to ensure the targeted object ID is contextually authorized for deletion, addressing the lack of API validation.

AC-6 Least Privilege partial match
prevent

Restricts user privileges to least necessary levels, reducing the scope of objects that low-privilege attackers can target via the flawed deletion mutation.

Security SummaryAI

CVE-2026-21886 affects OpenCTI, an open source platform for managing cyber threat intelligence knowledge and observables, in versions prior to 6.9.1. The vulnerability resides in the GraphQL mutation "IndividualDeletionDeleteMutation," which is designed to allow users to delete individual entity objects. Due to insufficient validation in the API, this mutation can be misused to delete unrelated and sensitive objects, such as analysis reports. The issue is rated with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs-285 (Improper Authorization), CWE-566 (Authorization Bypass Through User-Controlled Key), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By invoking the mutation against unintended targets, the attacker can delete sensitive objects like analysis reports, resulting in high-impact availability disruption without affecting confidentiality or integrity.

The official GitHub security advisory (GHSA-mhmx-j75v-2m6x) confirms that OpenCTI version 6.9.1 addresses the issue by adding proper validation to ensure the targeted object is contextually related to the mutation. Security practitioners should upgrade to version 6.9.1 or later to mitigate the vulnerability.

Details

CWE(s)
CWE-285CWE-566CWE-915

Affected Products

citeum
opencti
≤ 6.9.1

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The vulnerability allows authenticated low-privilege users to delete sensitive objects like analysis reports via GraphQL mutation, enabling data destruction (T1485) and application denial of service through exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References