CVE-2025-46732 is an improper authorization vulnerability (CWE-285) affecting versions of the OpenCTI platform prior to 6.6.6. OpenCTI is an open-source cyber threat intelligence platform used to manage threat intelligence knowledge and observables. The vulnerability exists in the GraphQL API mutations NotificationLineNotificationMarkReadMutation and NotificationLineNotificationDeleteMutation. Authenticated users can exploit an Insecure Direct Object Reference (IDOR) flaw by providing the UUID of a notification belonging to another user. This allows them to change the read status or delete notifications of other users without proper authorization checks. When changing the read status, the attacker also gains access to the content of the targeted notification, potentially exposing sensitive threat intelligence data. The vulnerability requires the attacker to be authenticated but does not require user interaction beyond sending crafted GraphQL mutation requests. The CVSS v3.1 base score is 5.4 (medium severity), reflecting low complexity of attack (AC:L), network attack vector (AV:N), privileges required (PR:L), no user interaction (UI:N), and limited confidentiality and integrity impact (C:L/I:L) with no availability impact (A:N). The issue was fixed in OpenCTI version 6.6.6 by adding proper authorization checks to ensure users can only modify or delete their own notifications. No known exploits are reported in the wild as of the publication date.

For European organizations using OpenCTI versions prior to 6.6.6, this vulnerability poses a moderate risk to the confidentiality and integrity of cyber threat intelligence data. Attackers with valid user credentials can access notifications intended for other users, potentially exposing sensitive or strategic threat information. This could lead to unauthorized disclosure of internal threat assessments or intelligence sharing details, undermining trust and operational security. Additionally, the ability to delete notifications of other users may disrupt threat monitoring workflows and cause loss of critical alerting information. While the vulnerability does not allow full system compromise or availability disruption, the exposure of sensitive intelligence and interference with notification data can impact incident response and threat analysis capabilities. European organizations involved in cybersecurity operations, government CERTs, or private sector threat intelligence sharing communities are particularly at risk. The medium severity rating suggests that exploitation is feasible but requires authenticated access, limiting exposure to insider threats or compromised accounts.

European organizations should immediately upgrade OpenCTI installations to version 6.6.6 or later, where the vulnerability is patched. Until upgrading, implement strict access controls and monitoring on user accounts to prevent unauthorized access. Enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and audit user permissions regularly to ensure least privilege principles are applied. Monitor GraphQL API usage logs for suspicious mutation requests that attempt to access or modify notifications not belonging to the authenticated user. Consider implementing Web Application Firewall (WAF) rules to detect and block anomalous GraphQL mutation patterns. Educate users about the importance of safeguarding their credentials and reporting suspicious activity. Finally, coordinate with OpenCTI community and vendors for any additional security advisories or patches.