Skip to main content

OpenCTI CVE-2026-35211

| EUVDEUVD-2026-42431 MEDIUM
Code Injection (CWE-94)
2026-07-08 security-advisories@github.com
6.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable GraphQL API requires low-privilege authenticated KNOWLEDGE role; pure availability impact via CPU exhaustion with no confidentiality or integrity impact confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 22:20 vuln.today
Patch available
Jul 08, 2026 - 22:04 EUVD

DescriptionCVE.org

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, allowing computationally expensive scripts to consume cluster CPU resources and degrade or deny service for all users. This issue is fixed in version 7.260401.0.

AnalysisAI

Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE capability to submit computationally expensive, unvalidated scripts that saturate Elasticsearch cluster CPU, degrading or denying service for the entire platform. All OpenCTI deployments prior to version 7.260401.0 are affected, with the vulnerability residing in the exposed 'script' FilterOperator of the GraphQL API. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain KNOWLEDGE-capable OpenCTI credentials
Delivery
Craft GraphQL query using 'script' FilterOperator
Exploit
Embed computationally expensive Painless script
Execution
Submit query to OpenCTI GraphQL API
Persist
Elasticsearch cluster CPU saturated
Impact
Platform-wide availability denied for all users

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated OpenCTI session with the KNOWLEDGE capability explicitly assigned to the user account - this is the specific RBAC permission that grants access to the 'script' FilterOperator within the GraphQL API's FilterOperator enum. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) reflects a network-reachable (AV:N), low-complexity (AC:L) attack requiring only low-privilege authentication (PR:L - the KNOWLEDGE role). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated OpenCTI user assigned the KNOWLEDGE capability submits a GraphQL search query using the 'script' FilterOperator, embedding a Painless script containing a computationally expensive loop or heavy aggregation targeting the Elasticsearch cluster. The cluster's CPU threads are consumed by the script execution, causing query timeouts and platform-wide service degradation for all concurrent OpenCTI users. …
Remediation Upgrade to OpenCTI version 7.260401.0, the vendor-confirmed fix, available at https://github.com/OpenCTI-Platform/opencti/releases/tag/7.260401.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37041 HIGH POC
7.5 Jan 30

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can

CVE-2026-27960 CRITICAL
9.8 May 05

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including t

CVE-2020-37044 MEDIUM POC
5.4 Jan 30

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can

CVE-2025-24977 CRITICAL
9.1 May 05

OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is r

CVE-2024-45404 HIGH
8.1 Dec 12

OpenCTI is an open-source cyber threat intelligence platform. Rated high severity (CVSS 8.1), this vulnerability is remo

CVE-2024-26139 HIGH
8.1 May 23

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observ

CVE-2022-30290 HIGH
7.5 Jul 05

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. Rated high

CVE-2026-44730 HIGH
7.2 May 26

Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by

CVE-2026-35210 HIGH
7.1 Jul 08

Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE p

CVE-2025-61781 HIGH
7.1 Jan 05

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.

CVE-2026-21886 MEDIUM
6.5 Mar 17

OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletio

CVE-2025-24887 MEDIUM
6.3 Apr 30

OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is re

Share

CVE-2026-35211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy