CVE-2025-24887
OpenCTI bypass of protected attribute update
In short
OpenCTI versions 6.4.8 to 6.4.9 allow users to bypass security restrictions and modify attributes they shouldn't be able to change, such as marking accounts as external or changing their own authentication tokens. This can let attackers enumerate user accounts and gain unauthorized access.
Technical detail
The vulnerability exists in the allow/deny list validation mechanism that fails to properly enforce attribute protection, allowing authenticated users with low privileges to modify protected fields (external flag, token, otp_qr, otp_activated) via API requests. This enables user enumeration and potential privilege escalation through token manipulation.
Summary generated and translated by AI from the official description.
OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
OpenCTI-Platform · openctiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →