CVE-2026-35210
Received Received - Intake

Authorization Bypass in OpenCTI Platform

Vulnerability report for CVE-2026-35210, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opencti opencti to 7.260326.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenCTI, an open source platform for managing cyber threat intelligence. Before version 7.260326.0, an authorization bypass flaw allowed any authenticated user with the KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions.

Attackers could exploit this by injecting the HTTP header 'synchronized-upsert: true', which enabled them to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect various STIX object types including Indicators, ThreatActors, Malware, and Reports.

This issue was fixed in OpenCTI version 7.260326.0.

Impact Analysis

The vulnerability can allow an attacker with certain permissions to bypass security controls within OpenCTI, leading to unauthorized modification of threat intelligence data.

  • Downgrade confidence levels of threat intelligence, potentially misleading decision-making.
  • Remove critical security markings such as TLP:RED, which are used to control information sharing and sensitivity.
  • Manipulate relationships and data within STIX object types like Indicators, ThreatActors, Malware, and Reports, compromising the integrity of the threat intelligence.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenCTI to version 7.260326.0 or later, where the authorization bypass issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart