Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN007
_____________________________________________________________________

DATE                : 07/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenCTI versions prior to 6.8.1.

=====================================================================
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c
_____________________________________________________________________


GraphQL IDOR allows authenticated user to delete workspace content
of other users
High
aHenryJard published GHSA-pr6m-q4g7-342c Jan 5, 2026

Package
No package listed

Affected versions
< 6.8.1

Patched versions
>= 6.8.1


Description

Summary

The GraphQL mutation "WorkspacePopoverDeletionMutation" allows users
to delete workspace-related objects such as dashboards and
investigation cases. However, the mutation lacks proper authorization
checks to verify ownership of the targeted resources.
An attacker can exploit this by supplying an active UUID of another
user. Since the API does not validate whether the requester owns the
resource, the mutation executes successfully, resulting in
unauthorized deletion of the entire workspace.


Impact

Loss of Critical User Data

    Custom Dashboards often contain personalized views, metrics, and
configurations tailored to specific workflows or monitoring needs.
    Investigation Cases may include sensitive evidence, timelines,
and analyst notes crucial for incident response or forensic analysis.
    Unauthorized deletion leads to irreversible data loss, disrupting
user operations and investigations.

Operational Disruption

    Users may lose access to dashboards used for real-time monitoring
or decision-making.
    Investigations may be halted or delayed due to missing case data,
affecting incident response timelines and outcomes.
    Teams relying on shared dashboards or cases may face coordination
breakdowns.


Privilege Escalation Vector

    Attackers can use this vulnerability to target high-value users
(e.g., admins, SOC analysts) by deleting their dashboards or cases.
    This can be part of a broader attack chain to sabotage detection
capabilities, hide malicious activity, or delay response.


Severity
High
7.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE ID
CVE-2025-61781

Weaknesses
Weakness CWE-285
Weakness CWE-566
Weakness CWE-915


Credits

    @DaffySpider DaffySpider Finder
    @gxteo-pt gxteo-pt Analyst


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================