Skip to main content

OpenCTI CVE-2026-35210

| EUVDEUVD-2026-42430 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-08 security-advisories@github.com
7.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
7.1 HIGH

Network API with low complexity and no user interaction, but requires an authenticated KNOWLEDGE_KNUPDATE account (PR:L); impact is chiefly data integrity/marking tampering (I:H) with limited confidentiality from marking removal (C:L) and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:36 vuln.today

DescriptionCVE.org

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.

AnalysisAI

Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE permission override Confidence Level validation and Object Marking restrictions simply by adding the 'synchronized-upsert: true' HTTP header. Exploitation allows downgrading confidence levels, stripping security markings such as TLP:RED, and tampering with STIX objects (Indicators, Threat Actors, Malware, Reports) and their relationships. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with KNOWLEDGE_KNUPDATE account
Delivery
Craft upsert request with synchronized-upsert:true header
Exploit
Bypass confidence and marking validation
Execution
Strip TLP:RED and downgrade STIX objects
Impact
Corrupt intel and over-share data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated OpenCTI account holding the KNOWLEDGE_KNUPDATE permission (knowledge-write), and the attacker must add the specific HTTP header 'synchronized-upsert: true' to update/upsert requests - that header is the exact trigger that bypasses Confidence Level validation and Object Marking enforcement on STIX objects such as Indicators, ThreatActors, Malware, and Reports. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, base 7.1) reflects the real shape of the risk well: network-reachable, low complexity, no user interaction, but requiring an authenticated account with the KNOWLEDGE_KNUPDATE knowledge-write permission. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An analyst account (or a compromised low-trust user) that has KNOWLEDGE_KNUPDATE sends an otherwise normal update/upsert API request to the OpenCTI platform but adds the HTTP header 'synchronized-upsert: true'. The server skips Confidence Level and Object Marking checks, letting the attacker strip TLP:RED from a sensitive Indicator or Report, lower its confidence, and rewrite its relationships so downstream consumers ingest degraded or over-shared intelligence. …
Remediation Vendor-released patch: upgrade OpenCTI to 7.260326.0 or later, which enforces validation on the synchronized-upsert path (see release https://github.com/OpenCTI-Platform/opencti/releases/tag/7.260326.0, advisory GHSA-36fr-4m54-94mj at https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-36fr-4m54-94mj, and fix PR https://github.com/OpenCTI-Platform/opencti/pull/14243). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenCTI instances, current versions, and audit users with KNOWLEDGE_KNUPDATE permission. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37041 HIGH POC
7.5 Jan 30

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can

CVE-2026-27960 CRITICAL
9.8 May 05

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including t

CVE-2020-37044 MEDIUM POC
5.4 Jan 30

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can

CVE-2025-24977 CRITICAL
9.1 May 05

OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is r

CVE-2024-45404 HIGH
8.1 Dec 12

OpenCTI is an open-source cyber threat intelligence platform. Rated high severity (CVSS 8.1), this vulnerability is remo

CVE-2024-26139 HIGH
8.1 May 23

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observ

CVE-2022-30290 HIGH
7.5 Jul 05

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. Rated high

CVE-2026-44730 HIGH
7.2 May 26

Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by

CVE-2025-61781 HIGH
7.1 Jan 05

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.

CVE-2026-35211 MEDIUM
6.5 Jul 08

Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE ca

CVE-2026-21886 MEDIUM
6.5 Mar 17

OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletio

CVE-2025-24887 MEDIUM
6.3 Apr 30

OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is re

Share

CVE-2026-35210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy