Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.
Published: 2026-03-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Sensitive Data
Action: Apply Patch
AI Analysis

Impact

The OpenCTI GraphQL mutation "IndividualDeletionDeleteMutation" was designed to delete individual entity objects. However, due to missing validation of the target object’s relationship with the mutation, an attacker can delete unrelated and sensitive entities such as analysis reports. This flaw is an authorization bypass and permission escalation vulnerability (CWE-285, CWE-566, CWE-915). The consequence is loss of critical threat intelligence, potentially compromising the integrity of the knowledge base and hindering future threat analysis.

Affected Systems

OpenCTI-Platform (opencti) versions prior to 6.9.1 are affected. The fix was released in version 6.9.1, which adds contextual validation to the mutation.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate severity. EPSS indicates a less than 1% probability of exploitation, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is authenticated GraphQL API calls; an attacker with any level of user access may exploit the mutation to delete unwanted data if the system has not been updated to 6.9.1 or later.

Generated by OpenCVE AI on March 19, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenCTI to version 6.9.1 or later to apply the patch that enforces contextual validation.
  • Verify that role-based access controls are correctly configured after the update to limit deletion privileges.
  • Monitor audit logs for unexpected deletions or anomalous API activity to detect any potential abuse.

Generated by OpenCVE AI on March 19, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Citeum
Citeum opencti
CPEs cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*
Vendors & Products Citeum
Citeum opencti

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.
Title OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
Weaknesses CWE-285
CWE-566
CWE-915
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Citeum Opencti
Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T16:09:31.748Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21886

cve-icon Vulnrichment

Updated: 2026-03-17T16:09:29.077Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T16:16:19.953

Modified: 2026-03-19T19:33:27.520

Link: CVE-2026-21886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:13Z

Weaknesses