CVE-2026-35210 in OpenCTIinfo

Summary

by MITRE • 07/09/2026

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/09/2026

The OpenCTI platform represents a critical component in cyber threat intelligence management systems, serving as a centralized repository for organizing and sharing security observables and threat knowledge. This vulnerability affects versions prior to 7.260326.0 where a fundamental authorization bypass flaw exists within the platform's access control mechanisms. The issue stems from insufficient validation of user permissions during specific data modification operations, creating a pathway for authenticated users to circumvent established security controls that govern confidence level enforcement and object marking restrictions.

The technical exploitation of this vulnerability occurs through the manipulation of HTTP headers, specifically by injecting the synchronized-upsert: true parameter into API requests. This header injection technique allows malicious actors who possess the KNOWLEDGE_KNUPDATE permission to bypass the normal validation processes that should enforce confidence level constraints and maintain object marking integrity. The flaw represents a direct violation of the principle of least privilege and demonstrates inadequate input sanitization within the platform's data processing pipeline.

From an operational perspective, this vulnerability creates significant risk for organizations relying on OpenCTI for threat intelligence management. Attackers can downgrade confidence levels of security indicators from high to low, potentially causing downstream systems to ignore critical threat signals. The ability to remove TLP:RED markings and other security restrictions undermines the entire threat intelligence sharing framework, as these markings serve as essential contextual controls that prevent unauthorized disclosure of sensitive information. Additionally, the vulnerability enables manipulation of relationships between STIX objects, which can corrupt the integrity of threat intelligence graphs and lead to incorrect threat assessments.

The impact extends across multiple STIX object types including Indicators, ThreatActors, Malware, and Reports, affecting the platform's core functionality for managing cyber threat data. This authorization bypass creates a persistent security risk that can compromise the reliability of threat intelligence feeds and undermine trust in the system's integrity. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a significant weakness in the platform's defense-in-depth strategy, as it allows privilege escalation through header manipulation rather than traditional attack vectors.

Organizations should immediately implement mitigations including upgrading to version 7.260326.0 or later, which addresses the authorization bypass by strengthening validation controls for the synchronized-upsert header parameter. Additional protective measures include implementing network-level controls to monitor and block suspicious HTTP header patterns, establishing enhanced logging of API requests containing the vulnerable header, and conducting regular security assessments of threat intelligence platforms. The remediation process should also involve reviewing existing access control policies and ensuring that users with KNOWLEDGE_KNUPDATE permissions are properly vetted and monitored for potentially malicious activity.

This vulnerability demonstrates the critical importance of validating all user inputs and maintaining strict enforcement of access controls even within authenticated sessions, as highlighted in ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) where unauthorized privilege escalation can occur through subtle manipulation of system parameters. The fix implemented in version 7.260326.0 represents a necessary security enhancement that restores proper authorization checks and prevents the injection-based bypass mechanism that previously allowed attackers to circumvent established security boundaries within the OpenCTI platform's threat intelligence management framework.

Responsible

GitHub M

Reservation

04/01/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!