OpenCTI GraphQL Unauthorized Deletion Vulnerability in Workspaces
Vulnerability
A vulnerability in OpenCTI versions prior to 6.8.1 allows authenticated users to delete workspace-related objects of other users through the GraphQL mutation "WorkspacePopoverDeletionMutation." The mutation lacks proper authorization checks to verify ownership of the targeted resources. By supplying an active UUID of another user, an attacker can exploit this flaw, leading to unauthorized deletion of dashboards and investigation cases. This results in a loss of critical user data and operational disruption, particularly for high-value users such as admins and SOC analysts.
Impact
Exploitation of this vulnerability causes irreversible deletion of workspace content, including custom dashboards and investigation cases. This loss disrupts user operations and can delay incident response efforts. Additionally, the vulnerability serves as a privilege escalation vector, allowing attackers to target and disrupt high-value users by deleting their critical workspace items.
Remediation
Users can upgrade to OpenCTI version 6.8.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.