CVE-2025-61781

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:* - VULNERABLE

OpenCTI < 6.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

需要生成PoC代码

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61781
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61781
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61781/
[4] VulDB https://vuldb.com/cve/CVE-2025-61781
[5] https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61781", "sourceIdentifier": "[email protected]", "published": "2026-01-05T18:15:44.077", "lastModified": "2026-01-30T01:18:17.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation \"WorkspacePopoverDeletionMutation\" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources.\nAn attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-566"}, {"lang": "en", "value": "CWE-915"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.8.1", "matchCriteriaId": "F79A2E14-8F36-47B3-9637-16A9A9EE2088"}]}]}], "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}