OpenCTI is an open-source platform widely used for managing cyber threat intelligence data, including knowledge and observables. The vulnerability identified as CVE-2025-61781 resides in the GraphQL mutation named WorkspacePopoverDeletionMutation, which is responsible for deleting workspace-related objects such as dashboards and investigation cases. Prior to version 6.8.1, this mutation lacked proper authorization checks to verify whether the requesting user actually owns or has permission to delete the targeted resources. An attacker who has authenticated access with limited privileges can exploit this flaw by supplying the UUID of a workspace object belonging to another user. Because the API does not validate ownership, the mutation executes successfully, allowing the attacker to delete entire workspaces they do not own. This results in unauthorized deletion of critical data, impacting the integrity and availability of the platform’s information. The vulnerability is remotely exploitable over the network, requires low privileges (authenticated user), and does not require user interaction, making it relatively easy to exploit in environments where OpenCTI is deployed. The issue is tracked under CWE-285 (Improper Authorization), CWE-566 (Authorization Bypass Through User-Controlled Key), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The vendor addressed the vulnerability in OpenCTI version 6.8.1 by implementing proper authorization checks to ensure that only owners or authorized users can delete workspace objects. No known exploits have been reported in the wild as of the publication date.

For European organizations relying on OpenCTI for cyber threat intelligence management, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their threat data. Unauthorized deletion of workspaces can lead to loss of critical intelligence dashboards and investigation cases, disrupting incident response and threat analysis workflows. This can delay detection and mitigation of cyber threats, increasing exposure to attacks. Organizations in sectors such as finance, government, critical infrastructure, and cybersecurity services, which often use OpenCTI, may face operational disruptions and potential regulatory compliance issues due to data loss. The ease of exploitation and network accessibility increase the likelihood of insider threats or compromised accounts being leveraged to cause damage. Additionally, the loss of historical investigation data can impair forensic analysis and threat hunting capabilities. The impact is particularly severe in environments where OpenCTI is integrated into broader security operations centers (SOCs) and automated response systems.

European organizations should immediately upgrade OpenCTI installations to version 6.8.1 or later to apply the official patch that enforces proper authorization checks. Until the upgrade is possible, implement strict access control policies limiting who can authenticate and access the GraphQL API, especially restricting deletion permissions to trusted administrators. Employ network segmentation and firewall rules to restrict access to the OpenCTI API endpoints to authorized internal users only. Enable detailed logging and monitoring of GraphQL mutation requests to detect unusual deletion activities or attempts to access UUIDs not owned by the requester. Conduct regular audits of user permissions and workspace ownership to identify and remediate any misconfigurations. Consider implementing multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. Finally, develop and test backup and recovery procedures for OpenCTI data to quickly restore deleted workspaces if exploitation occurs.