Summary

The GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources.
An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace.

Impact

Loss of Critical User Data

• Custom Dashboards often contain personalized views, metrics, and configurations tailored to specific workflows or monitoring needs.
• Investigation Cases may include sensitive evidence, timelines, and analyst notes crucial for incident response or forensic analysis.
• Unauthorized deletion leads to irreversible data loss, disrupting user operations and investigations.

Operational Disruption

• Users may lose access to dashboards used for real-time monitoring or decision-making.
• Investigations may be halted or delayed due to missing case data, affecting incident response timelines and outcomes.
• Teams relying on shared dashboards or cases may face coordination breakdowns.

Privilege Escalation Vector

• Attackers can use this vulnerability to target high-value users (e.g., admins, SOC analysts) by deleting their dashboards or cases.
• This can be part of a broader attack chain to sabotage detection capabilities, hide malicious activity, or delay response.