CVE-2026-21886
Published: 17 March 2026
Summary
CVE-2026-21886 is a medium-severity Improper Authorization (CWE-285) vulnerability in Citeum Opencti. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of access authorizations in the GraphQL API to block misuse of IndividualDeletionDeleteMutation for deleting unrelated sensitive objects like analysis reports.
Requires validation of GraphQL mutation inputs to ensure the targeted object ID is contextually authorized for deletion, addressing the lack of API validation.
Restricts user privileges to least necessary levels, reducing the scope of objects that low-privilege attackers can target via the flawed deletion mutation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated low-privilege users to delete sensitive objects like analysis reports via GraphQL mutation, enabling data destruction (T1485) and application denial of service through exploitation (T1499.004).
NVD Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation…
more
can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.
Deeper analysisAI
CVE-2026-21886 affects OpenCTI, an open source platform for managing cyber threat intelligence knowledge and observables, in versions prior to 6.9.1. The vulnerability resides in the GraphQL mutation "IndividualDeletionDeleteMutation," which is designed to allow users to delete individual entity objects. Due to insufficient validation in the API, this mutation can be misused to delete unrelated and sensitive objects, such as analysis reports. The issue is rated with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs-285 (Improper Authorization), CWE-566 (Authorization Bypass Through User-Controlled Key), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By invoking the mutation against unintended targets, the attacker can delete sensitive objects like analysis reports, resulting in high-impact availability disruption without affecting confidentiality or integrity.
The official GitHub security advisory (GHSA-mhmx-j75v-2m6x) confirms that OpenCTI version 6.9.1 addresses the issue by adding proper validation to ensure the targeted object is contextually related to the mutation. Security practitioners should upgrade to version 6.9.1 or later to mitigate the vulnerability.
Details
- CWE(s)