[6.9.0] Promote Observable to Indicator fails for non-admin users (Cannot read properties of undefined - 'match') #13850
Description
Description
When a non-admin user tries to promote a Cyber Observable into an Indicator from the UI, the operation fails with a backend GraphQLError / TypeError: Cannot read properties of undefined (reading 'match'). The UI shows an error toast and the indicator is not created.
Granting the user the capability “Bypass all capabilities” makes the same action succeed, which suggests a permission/capability check bug (or a missing/undefined internal type during access checks) rather than an actual data issue. We also tested removing all hidden entity types from groups (to rule out view restrictions) and the error persisted.
Environment
- OS (where OpenCTI server runs): Linux (Docker deployment)
- OpenCTI version: 6.9.0
- OpenCTI client: Frontend (UI) → action “Promote observable to indicator” (GraphQL mutation)
- Other environment details: N/A
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Login with a user that can access observables and attempt indicator creation, without “Bypass all capabilities”.
- Open an observable (example: IPv4 observable 217.216.51.122).
- Use the UI action to promote/create an indicator from the observable.
- Keep defaults (e.g., Indicator type: stix) and use the pattern (e.g. [ipv4-addr:value = '217.216.51.122']).
- Click Create.
- Observe the UI error and backend exception.
Expected Output
The indicator should be created successfully from the observable (and shown in the UI), or the API should return a clean authorization error if the user truly lacks required permissions (instead of a TypeError).
Actual Output
- UI toast/error banner: Cannot read properties of undefined (reading 'match')
- Backend error during StixCyberObservableIndicatorsPromoteMutation (WRITE_ERROR). Indicator is not created.
Additional information
-
Previously, in Incidents → Knowledge → Observables, when selecting multiple observables, there was a bulk action button to promote/convert selected observables directly into indicators. That button is no longer present (appears to have disappeared after recent OpenCTI updates). This forces analysts to promote observables one by one, and in our case the single-item promotion also fails unless “Bypass all capabilities” is granted.
-
Backend log (full payload):
{"category":"APP","cause":{"attributes":{},"message":"Cannot read properties of undefined (reading 'match')","name":"GraphQLError","stack":"TypeError: Cannot read properties of undefined (reading 'match')\n at pascalize (/opt/opencti/build/back.js:1652:52202)\n at generateInternalType (/opt/opencti/build/back.js:1652:53066)\n at checkUserCanAccessStixElement (/opt/opencti/build/back.js:1712:155606)\n at isUserCanAccessStixElement (/opt/opencti/build/back.js:1712:156151)\n at async isStixMatchFilterGroup_MockableForUnitTests (/opt/opencti/build/back.js:1898:28092)\n at async checkDecayExclusionRules (/opt/opencti/build/back.js:2860:42102)\n at async addIndicator (/opt/opencti/build/back.js:2860:50128)\n at async promoteObservableToIndicator (/opt/opencti/build/back.js:3518:6895)"},"level":"error","message":"Cannot read properties of undefined (reading 'match')","operation":"StixCyberObservableIndicatorsPromoteMutation","size":45,"source":"backend","time":44,"timestamp":"2025-12-29T11:50:19.441Z","type":"WRITE_ERROR","user_id":"34349de3-9640-4be6-9507-10fa7508b69d","version":"6.9.0"}
Screenshots (optional)
- UI toast while creating indicator from observable:
- Backend log snippet showing the GraphQL error:
- Role capability workaround:
