CVE-2026-27960
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in OpenCTI Platform

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27960
EUVD
EUVD-2026-27420
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opencti opencti From 6.6.0 (inc) to 6.9.12 (inc)
opencti opencti 6.9.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27960 is a critical privilege escalation vulnerability in the OpenCTI platform versions 6.6.0 through 6.9.12.

It allows unauthenticated attackers to query the API as any existing user, including the default admin account, effectively granting them full administrative access.

This means an attacker does not need any prior privileges or user interaction and can exploit this remotely over the network.

The vulnerability has been fixed in version 6.9.13.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data and full administrative control over the OpenCTI platform.

  • Confidentiality impact: Attackers can access sensitive threat intelligence data.
  • Integrity impact: Attackers can modify or delete data within the platform.
  • Availability impact: Attackers can disrupt the availability of the platform.

Because the attack requires no privileges or user interaction and can be performed remotely, it poses a critical risk to any affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenCTI to version 6.9.13 or later where the issue is fixed.

As an additional measure, disable the default admin account by setting the configuration APP__ADMIN__EXTERNALLY_MANAGED.

Compliance Impact

This vulnerability allows unauthenticated attackers to gain full administrative access to the OpenCTI platform, potentially compromising the confidentiality, integrity, and availability of sensitive data.

Such unauthorized access and privilege escalation could lead to violations of common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Failure to remediate this vulnerability could result in non-compliance due to unauthorized data exposure or manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart