CVE-2026-35211
Received Received - Intake

OpenCTI GraphQL API Elasticsearch Script Filter DoS

Vulnerability report for CVE-2026-35211, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, allowing computationally expensive scripts to consume cluster CPU resources and degrade or deny service for all users. This issue is fixed in version 7.260401.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
opencti opencti 7.260401.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the OpenCTI platform's GraphQL API prior to version 7.260401.0. It allows any authenticated user with the KNOWLEDGE capability to use a script filter operator that accepts user-supplied Elasticsearch Painless scripts without any validation or sanitization.

Because these scripts are passed directly into search queries, an attacker can submit computationally expensive scripts that consume excessive CPU resources on the cluster.

This can degrade the performance of the system or even cause a denial of service for all users.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with certain privileges to execute expensive scripts that overload the system's CPU resources.

As a result, the system's performance can degrade significantly, or it can become unavailable, causing a denial of service for all users relying on the OpenCTI platform.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenCTI to version 7.260401.0 or later, where the issue has been fixed.

Additionally, restrict or review user permissions to limit the KNOWLEDGE capability to trusted users only, as the vulnerability requires authenticated users with this capability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35211. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart