Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7.
Published: 2026-05-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect ACL on the userEdit relationAdd endpoint in OpenCTI allows an organization administrator to add a user belonging to a higher‑privilege organization into their own organization, effectively elevating the administrator’s privileges across the platform. The flaw is a classic authorization bypass (CWE‑284) and can result in unauthorized access to data and configuration that the higher‑privilege user normally controls.

Affected Systems

The vulnerability affects the OpenCTI‑Platform OpenCTI application for all releases before version 6.9.7. Any deployment of the open‑source platform that has not applied the 6.9.7 update is susceptible.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑severity privilege escalation risk. The EPSS score is < 1% (0.00036), indicating a very low exploitation probability, but the flaw involves an internal interface that an organization admin can use, so the likelihood of exploitation is still significant for compromised or misconfigured accounts. The vulnerability is not currently listed in CISA KEV, but administrators should treat it as a serious risk due to the potential for cross‑organization privilege abuse.

Generated by OpenCVE AI on May 27, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCTI to version 6.9.7 or later, which contains the ACL fix for userEdit relationAdd.
  • Revalidate organization‑level ACLs to ensure that admins cannot add users from other organizations.
  • Audit user activity logs for unauthorized cross‑organization user additions and enforce strict monitoring.

Generated by OpenCVE AI on May 27, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q537-qhj4-wcjx OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd
History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Citeum
Citeum opencti
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*
Vendors & Products Citeum
Citeum opencti

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7.
Title OpenCTI: Privilege escalation via graphQL API abusable by organization admins, due to incorrect ACL on userEdit relationAdd
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Citeum Opencti
Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:02:34.018Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44730

cve-icon Vulnrichment

Updated: 2026-05-28T14:02:30.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:51.023

Modified: 2026-05-27T15:40:38.150

Link: CVE-2026-44730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:15:26Z

Weaknesses