Impact
An authenticated user possessing the KNOWLEDGE_KNUPDATE permission can set the synchronized-upsert: true HTTP header, which the OpenCTI application incorrectly accepts as a truestated keyword. By doing so, the user can bypass internal checks that enforce confidence level limits and Object Marking restrictions. This flaw allows an attacker to lower the confidence of threat intelligence entities, strip critical security markings such as TLP:RED, alter relationships between STIX objects, and modify many core object types, including Indicators, ThreatActors, Malware and Reports. The integrity and confidentiality of the threat data are therefore compromised, potentially undermining downstream analytics and reporting.
Affected Systems
OpenCTI Platform (OpenCTI) versions prior to 7.260326.0 are affected. The vulnerability is tied to the platform's handling of HTTP headers in API contexts, so any instance of the platform deployed before the mentioned release is vulnerable.
Risk and Exploitability
The base CVSS score of 7.1 indicates a high severity. Although the EPSS score is not available, the fact that the issue can be triggered by an authenticated user with a specific role suggests that the attack vector is an exposed HTTP API. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of immediate exploitation but still presenting a serious risk to organizations that rely on the platform for accurate threat intelligence. A malicious actor with the necessary role could exploit this flaw remotely by crafting a request with the injection header to manipulate data without further authentication steps.
OpenCVE Enrichment