CVE-2026-35211 in OpenCTI
Summary
by MITRE • 07/09/2026
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, allowing computationally expensive scripts to consume cluster CPU resources and degrade or deny service for all users. This issue is fixed in version 7.260401.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability exists within the OpenCTI platform's GraphQL API implementation where the FilterOperator enum includes a script filter operator that permits authenticated users with KNOWLEDGE capability to inject arbitrary Elasticsearch Painless scripts directly into search queries. This flaw represents a critical security weakness that enables privilege escalation and resource exhaustion attacks against the underlying Elasticsearch cluster infrastructure. The absence of input validation and sanitization creates an environment where malicious actors can submit computationally intensive scripts that consume excessive CPU cycles, leading to denial of service conditions that impact all system users. This vulnerability directly maps to CWE-94, Software Fault, and specifically CWE-400, Uncontrolled Resource Consumption, as it allows attackers to manipulate resource allocation through crafted script inputs.
The operational impact of this vulnerability extends beyond simple performance degradation to encompass potential complete system compromise and service disruption. When authenticated users exploit this weakness, they can submit scripts designed to perform intensive computations such as nested loops, recursive operations, or memory-intensive processes that overwhelm the Elasticsearch cluster's processing capabilities. The vulnerability affects all versions prior to 7.260401.0, making it a persistent threat across multiple releases of the platform. Attackers could leverage this issue to conduct sustained resource exhaustion attacks that degrade system performance over time or execute immediate denial of service attacks that render the threat intelligence platform unusable for legitimate users.
This vulnerability aligns with several ATT&CK techniques including T1496, Resource Hijacking, and T1059, Command and Scripting Interpreter, as it enables attackers to execute malicious scripts within the system's processing environment. The attack surface is particularly concerning because it requires only authenticated access with KNOWLEDGE capability, which many operational security teams consider a standard permission level for analysts and administrators. The fix implemented in version 7.260401.0 addresses this by introducing proper validation and sanitization of user-supplied script values before they are processed by the Elasticsearch cluster. This mitigation strategy follows industry best practices for preventing injection attacks and resource exhaustion scenarios that are commonly exploited in cyber attacks targeting infrastructure components.
Organizations utilizing OpenCTI should immediately implement the patched version 7.260401.0 to address this vulnerability, as the risk of exploitation remains significant given the platform's widespread adoption in cybersecurity operations. The remediation approach demonstrates proper security engineering principles by implementing input validation at the API boundary rather than relying on trust-based access controls alone. Security teams should also consider implementing additional monitoring for unusual script execution patterns and resource consumption spikes that could indicate exploitation attempts. The vulnerability serves as a reminder of the importance of validating all user inputs in database query interfaces and the critical need for proper sanitization of dynamic content in distributed systems that process user-supplied data, particularly when operating on infrastructure that may be targeted by adversarial actors seeking to disrupt security operations.