Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
Published: 2026-05-05
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In OpenCTI platform versions 6.6.0 through 6.9.12, an unauthenticated attacker can exploit a privilege escalation flaw to query the API as any existing user, including the default admin account. This vulnerability exposes the full set of authorizations granted to the default admin, allowing the attacker to read, modify, or delete threat intelligence data stored in the system. The weakness is a classic authentication bypass flaw (CWE-287).

Affected Systems

OpenCTI-Platform opencti, specifically versions 6.6.0 to 6.9.12. The issue has been addressed in version 6.9.13 and later.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. No EPSS score is available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending unauthenticated API requests, implying a high likelihood of remote exploitation with no additional credentials required.

Generated by OpenCVE AI on May 5, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCTI to version 6.9.13 or later to apply the vendor patch.
  • If an upgrade cannot be performed immediately, set the configuration APP__ADMIN__EXTERNALLY_MANAGED to true to disable the default admin account.
  • Review API access controls and remove any other default or unnecessary user accounts to reduce attack surface.

Generated by OpenCVE AI on May 5, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Tue, 05 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.
Title OpenCTI privilege escalation and unauthenticated access via default admin account
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T18:35:41.854Z

Reserved: 2026-02-25T03:24:57.792Z

Link: CVE-2026-27960

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T19:16:21.380

Modified: 2026-05-05T19:16:21.380

Link: CVE-2026-27960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses