CVE-2025-61781 Overview
CVE-2025-61781 is an authorization bypass vulnerability in OpenCTI, an open source platform for managing cyber threat intelligence knowledge and observables. The vulnerability exists in the GraphQL mutation WorkspacePopoverDeletionMutation, which allows users to delete workspace-related objects such as dashboards and investigation cases without proper authorization checks to verify ownership of the targeted resources.
Critical Impact
Attackers with authenticated access can exploit this vulnerability to delete any user's workspace resources, including dashboards and investigation cases, by supplying a valid UUID of another user's resources. This can result in significant data loss and disruption of threat intelligence operations.
Affected Products
- OpenCTI versions prior to 6.8.1
Discovery Timeline
- 2026-01-05 - CVE-2025-61781 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-61781
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-285) in OpenCTI's GraphQL API layer. The WorkspacePopoverDeletionMutation endpoint processes deletion requests for workspace objects without validating whether the authenticated user has ownership or appropriate permissions over the targeted resource. When a user submits a deletion request with a UUID, the API executes the mutation based solely on authentication status rather than verifying resource ownership.
The attack surface is network-accessible and requires only low-privilege authentication to exploit. While this vulnerability does not expose confidential data, it enables unauthorized modification of the system's integrity and can cause high availability impact through mass deletion of workspace resources.
Root Cause
The root cause is missing authorization checks in the GraphQL mutation handler. The WorkspacePopoverDeletionMutation function authenticates that a user is logged in but fails to implement object-level authorization to confirm the requesting user owns or has permission to delete the specified workspace resource. This broken access control pattern allows any authenticated user to reference and delete resources belonging to other users.
Attack Vector
An attacker exploits this vulnerability through the network by sending a crafted GraphQL mutation request to the OpenCTI API. The attack requires low-privilege authentication (any valid user account) and no user interaction. The attacker needs to obtain or enumerate valid UUIDs of workspace objects belonging to other users.
The exploitation flow involves:
- The attacker authenticates to OpenCTI with any valid user credentials
- The attacker identifies or enumerates UUID values of target workspace resources (dashboards, investigation cases)
- The attacker sends a GraphQL mutation request to WorkspacePopoverDeletionMutation with the target UUID
- The server processes the deletion without verifying ownership, permanently removing the victim's workspace data
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2025-61781
Indicators of Compromise
- Unexpected deletion of dashboards or investigation cases reported by users
- High volume of WorkspacePopoverDeletionMutation GraphQL requests from a single user
- Deletion operations targeting workspace UUIDs not owned by the requesting user
- Audit log entries showing workspace deletions without corresponding user activity in those workspaces
Detection Strategies
- Monitor GraphQL API logs for WorkspacePopoverDeletionMutation requests and correlate with workspace ownership data
- Implement alerting on deletion operations where the requesting user ID does not match the resource owner
- Deploy API gateway rules to flag unusual patterns of workspace deletion requests
- Enable detailed audit logging for all workspace modification operations
Monitoring Recommendations
- Configure centralized logging for all GraphQL mutation requests with full request/response capture
- Set up anomaly detection for deletion request frequency per user account
- Monitor for enumeration patterns that may indicate UUID discovery attempts
- Implement real-time alerting for bulk deletion events across multiple workspaces
How to Mitigate CVE-2025-61781
Immediate Actions Required
- Upgrade OpenCTI to version 6.8.1 or later immediately
- Audit recent deletion logs to identify potential exploitation attempts
- Review user account access and revoke credentials for any compromised or suspicious accounts
- Implement backup and recovery procedures for critical workspace data if not already in place
Patch Information
The vulnerability is fixed in OpenCTI version 6.8.1. This release implements proper authorization checks in the WorkspacePopoverDeletionMutation GraphQL mutation to verify that the requesting user has ownership or appropriate permissions before processing deletion requests. Organizations should update to this version or later through their standard deployment procedures.
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to the OpenCTI GraphQL API to trusted networks or IP addresses until patching is complete
- Implement Web Application Firewall (WAF) rules to monitor and rate-limit WorkspacePopoverDeletionMutation requests
- Enable enhanced audit logging to detect and alert on suspicious deletion patterns
- Consider temporarily disabling workspace deletion capabilities at the application or API gateway level if operationally feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
