Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.
Published: 2026-07-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user possessing the KNOWLEDGE_KNUPDATE permission can set the synchronized-upsert: true HTTP header, which the OpenCTI application incorrectly accepts as a truestated keyword. By doing so, the user can bypass internal checks that enforce confidence level limits and Object Marking restrictions. This flaw allows an attacker to lower the confidence of threat intelligence entities, strip critical security markings such as TLP:RED, alter relationships between STIX objects, and modify many core object types, including Indicators, ThreatActors, Malware and Reports. The integrity and confidentiality of the threat data are therefore compromised, potentially undermining downstream analytics and reporting.

Affected Systems

OpenCTI Platform (OpenCTI) versions prior to 7.260326.0 are affected. The vulnerability is tied to the platform's handling of HTTP headers in API contexts, so any instance of the platform deployed before the mentioned release is vulnerable.

Risk and Exploitability

The base CVSS score of 7.1 indicates a high severity. Although the EPSS score is not available, the fact that the issue can be triggered by an authenticated user with a specific role suggests that the attack vector is an exposed HTTP API. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of immediate exploitation but still presenting a serious risk to organizations that rely on the platform for accurate threat intelligence. A malicious actor with the necessary role could exploit this flaw remotely by crafting a request with the injection header to manipulate data without further authentication steps.

Generated by OpenCVE AI on July 9, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenCTI platform to version 7.260326.0 or later. This release removes the header injection flaw and restores proper authorization checks for confidence levels and object markings.
  • Review role assignments to ensure that the KNOWLEDGE_KNUPDATE permission is only granted to trusted users who require this level of access. Limiting this permission reduces the potential impact of any remaining header-related issues.
  • Implement input validation or firewall rules to reject or strip the synchronized-upsert header from inbound requests, adding an extra layer of defense in case a future patch is delayed.

Generated by OpenCVE AI on July 9, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header, enabling attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. This issue is fixed in version 7.260326.0.
Title OpenCTI: Authorization Bypass via `synchronized-upsert` HTTP Header Injection
Weaknesses CWE-639
CWE-863
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}


Subscriptions

Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-09T13:45:43.275Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35210

cve-icon Vulnrichment

Updated: 2026-07-09T13:45:39.218Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:00:11Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-863

    Incorrect Authorization