Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the APP__ADMIN__EXTERNALLY_MANAGED configuration.
AnalysisAI
Unauthenticated attackers can escalate privileges in OpenCTI 6.6.0-6.9.12 by impersonating any user account, including the default administrator, to query the threat intelligence platform's API without providing credentials. This authentication bypass (CWE-287) permits complete unauthorized access to cyber threat intelligence data with CVSS 9.8 critical severity. The vulnerability allows attackers to bypass all authentication controls and assume administrative privileges remotely with low attack complexity. Fixed in version 6.9.13 with workaround available via configuration change. No active exploitation (CISA KEV) or public POC confirmed at time of analysis, though EPSS data was not provided.
Technical ContextAI
OpenCTI is a threat intelligence platform built on GraphQL API architecture for managing cyber threat knowledge graphs and observables. The vulnerability stems from improper authentication (CWE-287) in the API layer affecting versions 6.6.0 through 6.9.12. The flaw allows attackers to craft API requests that bypass authentication checks entirely, then assume the identity of any valid user account in the system through privilege escalation. The default admin account presents the highest-value target, as it has full platform privileges for viewing, modifying, and deleting threat intelligence data. The CPE identifier cpe:2.3:a:opencti-platform:opencti indicates this affects the core OpenCTI platform across all deployment configurations during the vulnerable version range.
RemediationAI
Upgrade immediately to OpenCTI version 6.9.13 or later, which contains the authentication bypass fix per vendor advisory GHSA-6vvv-vmfr-xhrx available at https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx. Organizations unable to upgrade immediately should implement the workaround by setting the APP__ADMIN__EXTERNALLY_MANAGED configuration parameter to disable the default admin account, reducing the attack surface by eliminating the highest-privilege impersonation target. This workaround limits but does not eliminate risk, as attackers can still impersonate other user accounts with lower privileges to access threat intelligence data. The workaround requires external user management infrastructure and may disrupt automated workflows depending on admin account. Network-level compensating controls such as restricting API access to authenticated VPN connections or trusted IP ranges provide defense-in-depth but do not address the core authentication bypass and should not substitute for patching.
OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can
OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can
OpenCTI is an open cyber threat intelligence (CTI) platform. Rated critical severity (CVSS 9.1), this vulnerability is r
OpenCTI is an open-source cyber threat intelligence platform. Rated high severity (CVSS 8.1), this vulnerability is remo
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observ
In OpenCTI through 5.2.4, a broken access control vulnerability has been identified in the profile endpoint. Rated high
Privilege escalation in OpenCTI prior to 6.9.7 allows an organization admin to gain elevated platform-wide privileges by
Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE p
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.
Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE ca
OpenCTI versions prior to 6.9.1 contain an authorization bypass vulnerability in the GraphQL mutation 'IndividualDeletio
OpenCTI is an open-source cyber threat intelligence platform. Rated medium severity (CVSS 6.3), this vulnerability is re
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27420