CVE-2025-46732: OpenCTI IDOR Vulnerability Allows Unauthorized Notification Access
OpenCTI, a platform for managing cyber threat intelligence knowledge, has addressed an Insecure Direct Object Reference (IDOR) vulnerability. This flaw could allow authenticated users to access and manipulate notifications belonging to other users.
Vulnerability Details
- CVE ID: CVE-2025-46732
- Description: An IDOR vulnerability exists in the GraphQL `NotificationLineNotificationMarkReadMutation` and `NotificationLineNotificationDeleteMutation` mutations of OpenCTI. An authenticated user with knowledge of a notification's UUID can change its read status or delete it, even if the notification belongs to another user. Marking a notification as read also exposes its content to the unauthorized user.
- CVSS Score: 5.4 (Medium)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVSS Explanation:
- AV:N (Network): The vulnerability can be exploited over the network.
- AC:L (Low): No special conditions are required to exploit the vulnerability.
- PR:L (Low): The attacker needs to be an authenticated user.
- UI:N (None): No user interaction is required to exploit the vulnerability.
- S:U (Unchanged): The vulnerability does not affect resources beyond the attacker's control.
- C:L (Low): There is limited impact on data confidentiality.
- I:L (Low): There is limited impact on data integrity.
- A:N (None): There is no impact on system availability.
- Exploit Requirements: An authenticated user must know the UUID of the target notification.
- Affected Vendor: OpenCTI
- Affected Product: OpenCTI
- Affected Version: Versions prior to 6.6.6
- CWE: CWE-285 (Improper Authorization)
- CWE Explanation: CWE-285 occurs when the application does not properly verify that the user is authorized to perform the requested action. In this case, the system fails to validate if the user has the right to modify or delete the specific notification.
Timeline of Events
- Reported: Unknown
- Fixed: Version 6.6.6
- Published: 2025-07-18
Exploitability & Real-World Risk
This vulnerability poses a moderate risk to OpenCTI users. While an attacker needs to be authenticated, obtaining a valid user account is often easier than exploiting more complex vulnerabilities. The real-world impact could include unauthorized access to sensitive information contained in notifications, as well as potential disruption through the deletion of important notifications. This could be misused to hide traces of malicious activity, disrupt incident response, or perform reconnaissance on privileged users.
Recommendations
- Upgrade: Upgrade to OpenCTI version 6.6.6 or later.
- Monitor: Monitor system logs for suspicious activity related to notification access and manipulation.
Technical Insight
The vulnerability resides in the GraphQL mutations responsible for handling notifications. The system fails to properly validate whether the authenticated user is authorized to modify or delete a notification based on its UUID. This oversight allows an attacker, if they know the UUID of someone else's notification, to perform actions they shouldn't be authorized to do.
Credit to Researcher(s)
Security Advisory from GitHub.
References
Tags
CVE-2025-46732, OpenCTI, IDOR, Vulnerability, Cyber Threat Intelligence, Notification Access
Summary: An IDOR vulnerability in OpenCTI (CVE-2025-46732) allows authenticated users to change the read status or delete notifications of other users if they know the notification's UUID. Upgrade to version 6.6.6 to mitigate this risk.
CVE ID: CVE-2025-46732
Risk Analysis: Successful exploitation could lead to unauthorized access to sensitive information contained within notifications, as well as the potential for disruption through the deletion of important notifications. This could be used to conceal malicious activity or disrupt incident response efforts.
Recommendation: Upgrade to OpenCTI version 6.6.6 or later to address this vulnerability. Regularly review and monitor system logs for any suspicious activity related to notification access.
Timeline
- 2025-07-18: CVE Published
- 2025-07-18: OpenCTI 6.6.6 released with fix