CVE-2025-61781
📋 TL;DR
This vulnerability allows attackers to delete other users' workspaces in OpenCTI by exploiting an authorization flaw in the GraphQL mutation 'WorkspacePopoverDeletionMutation'. Any OpenCTI instance running versions before 6.8.1 is affected, potentially allowing unauthorized data destruction.
💻 Affected Systems
- OpenCTI
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of critical threat intelligence data including dashboards and investigation cases, disrupting security operations and potentially causing data recovery challenges.
Likely Case
Unauthorized deletion of workspaces belonging to other users, leading to data loss and operational disruption within the threat intelligence platform.
If Mitigated
Minimal impact with proper access controls and monitoring, though the vulnerability still exists until patched.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill - just knowledge of another user's workspace UUID.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.1
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c
Restart Required: Yes
Instructions:
1. Backup your OpenCTI data and configuration. 2. Update OpenCTI to version 6.8.1 or later using your deployment method (Docker, manual install, etc.). 3. Restart the OpenCTI service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable vulnerable mutation
allTemporarily disable or restrict access to the 'WorkspacePopoverDeletionMutation' GraphQL mutation
# Requires modifying GraphQL schema or implementing middleware to block the mutation
Implement API gateway filtering
allAdd WAF or API gateway rules to block mutation requests containing UUID patterns
# Configure your WAF/API gateway to filter GraphQL requests with mutation: WorkspacePopoverDeletionMutation
🧯 If You Can't Patch
- Implement strict access controls and monitor all GraphQL mutation requests
- Enable comprehensive logging and alerting for workspace deletion activities
🔍 How to Verify
Check if Vulnerable:
Check OpenCTI version via web interface or API. If version is below 6.8.1, the system is vulnerable.Check Version:
curl -X POST http://your-opencti-url/api/graphql -H 'Content-Type: application/json' -d '{"query":"{ version }"}'Verify Fix Applied:
After updating, verify version is 6.8.1 or higher and test that workspace deletion now requires proper authorization.📡 Detection & Monitoring
Log Indicators:
- GraphQL logs showing 'WorkspacePopoverDeletionMutation' requests
- Workspace deletion events from users not owning the workspace
- Multiple workspace deletions in short timeframes
Network Indicators:
- GraphQL POST requests to /api/graphql with mutation: WorkspacePopoverDeletionMutation
- Unusual patterns of workspace deletion API calls
SIEM Query:
source="opencti" AND ("WorkspacePopoverDeletionMutation" OR "workspace deletion") | stats count by user, workspace_id