OpenCTI is an open-source platform designed for managing cyber threat intelligence data, including knowledge and observables. In versions prior to 6.9.1, the GraphQL mutation named IndividualDeletionDeleteMutation is intended to allow authorized users to delete specific individual entity objects. However, the mutation lacks proper authorization checks to verify that the targeted object is contextually related to the mutation's intended scope. This improper authorization (CWE-285) allows users with limited privileges to delete unrelated and sensitive objects, such as analysis reports, which are critical for threat intelligence operations. The root cause is the absence of validation in the API to ensure that the deletion request is authorized for the specific object targeted. Although the vulnerability does not allow attackers to read or modify data beyond deletion, it can cause significant availability impact by removing important data. The vulnerability is tracked as CVE-2026-21886 with a CVSS v3.1 base score of 6.5 (medium severity), reflecting network exploitability with low privileges required and no user interaction. The issue was addressed and fixed in OpenCTI version 6.9.1 by adding proper validation and authorization checks to the mutation.

The primary impact of this vulnerability is on the availability of critical cyber threat intelligence data within the OpenCTI platform. Attackers with low privileges can delete unrelated and sensitive objects, including analysis reports, potentially disrupting threat intelligence workflows and investigations. This can lead to loss of valuable data, operational delays, and reduced situational awareness. Since OpenCTI is often used by security teams, government agencies, and large enterprises for managing threat intelligence, the deletion of key data can impair incident response and threat hunting capabilities. While confidentiality and integrity are not directly compromised, the loss of data availability can have cascading effects on organizational security posture. The vulnerability requires network access and low privileges but no user interaction, making it moderately easy to exploit in environments where OpenCTI is accessible. No known exploits are reported in the wild yet, but the risk remains significant until patched.

Organizations using OpenCTI versions prior to 6.9.1 should upgrade to version 6.9.1 or later immediately to remediate this vulnerability. If immediate upgrade is not feasible, restrict network access to the OpenCTI GraphQL API to trusted users only, using network segmentation and firewall rules. Implement strict role-based access controls (RBAC) to limit deletion privileges to only highly trusted users. Monitor logs for suspicious deletion requests or anomalous activity related to the IndividualDeletionDeleteMutation. Conduct regular backups of OpenCTI data to enable recovery in case of unauthorized deletions. Additionally, review and harden API authorization logic if custom modifications exist. Security teams should also consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious GraphQL mutation requests targeting deletion operations.