Skip to main content

OpenCTI EUVDEUVD-2026-27420

| CVE-2026-27960 CRITICAL
Improper Authentication (CWE-287)
2026-05-05 GitHub_M
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 05, 2026 - 20:02 EUVD
Analysis Generated
May 05, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the APP__ADMIN__EXTERNALLY_MANAGED configuration.

AnalysisAI

Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.

Technical ContextAI

OpenCTI is a threat intelligence platform built on GraphQL API architecture for managing cyber threat knowledge graphs and observables. The vulnerability stems from improper authentication (CWE-287) in the API layer affecting versions 6.6.0 through 6.9.12. The flaw allows attackers to craft API requests that bypass authentication checks entirely, then assume the identity of any valid user account in the system through privilege escalation. The default admin account presents the highest-value target, as it has full platform privileges for viewing, modifying, and deleting threat intelligence data. The CPE identifier cpe:2.3:a:opencti-platform:opencti indicates this affects the core OpenCTI platform across all deployment configurations during the vulnerable version range.

RemediationAI

Upgrade immediately to OpenCTI version 6.9.13 or later, which contains the authentication bypass fix per vendor advisory GHSA-6vvv-vmfr-xhrx available at https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx. Organizations unable to upgrade immediately should implement the workaround by setting the APP__ADMIN__EXTERNALLY_MANAGED configuration parameter to disable the default admin account, reducing the attack surface by eliminating the highest-privilege impersonation target. This workaround limits but does not eliminate risk, as attackers can still impersonate other user accounts with lower privileges to access threat intelligence data. The workaround requires external user management infrastructure and may disrupt automated workflows depending on admin account. Network-level compensating controls such as restricting API access to authenticated VPN connections or trusted IP ranges provide defense-in-depth but do not address the core authentication bypass and should not substitute for patching.

CVE-2020-37041 HIGH POC
7.5 Jan 30

OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can

CVE-2020-37044 MEDIUM POC
5.4 Jan 30

OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can

CVE-2025-24977 CRITICAL
9.1 May 05

OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is r

CVE-2024-45404 HIGH
8.1 Dec 12

OpenCTI is an open-source cyber threat intelligence platform. Rated high severity (CVSS 8.1), this vulnerability is remo

CVE-2024-26139 HIGH
8.1 May 23

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observ

CVE-2022-30290 HIGH
7.5 Jul 05

In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. Rated high

CVE-2026-44730 HIGH
7.2 May 26

Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by

CVE-2026-35210 HIGH
7.1 Jul 08

Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE p

CVE-2025-61781 HIGH
7.1 Jan 05

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.

CVE-2026-35211 MEDIUM
6.5 Jul 08

Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE ca

CVE-2026-21886 MEDIUM
6.5 Mar 17

OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletio

CVE-2025-24887 MEDIUM
6.3 Apr 30

OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is re

Share

EUVD-2026-27420 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy