Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention
CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention
SECURITYHIGHCVE-2026-35210

CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention

An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions, potentially escalating access to sensitive threat intelligence data.

Dylan H.

Security Team

July 9, 2026
3 min read

Affected Products

  • OpenCTI < 7.260326.0

Overview

A high-severity authorization bypass vulnerability has been disclosed in OpenCTI, the popular open-source cyber threat intelligence (CTI) platform. Tracked as CVE-2026-35210 with a CVSS score of 7.1, the flaw allows any authenticated user holding the KNOWLEDGE_KNUPDATE permission to bypass two critical security controls:

  1. Confidence Level validation — which governs the reliability rating applied to threat intelligence objects
  2. Object Marking restrictions — which control access to classified or restricted intelligence data (e.g., TLP:RED, TLP:AMBER)

Affected Versions

ProductAffected VersionsFixed Version
OpenCTIAll versions prior to 7.260326.07.260326.0

Vulnerability Details

OpenCTI uses a role-based access control (RBAC) model with fine-grained permission sets. The KNOWLEDGE_KNUPDATE permission is commonly assigned to analysts who need to update threat intelligence entries — such as indicators of compromise (IoCs), threat actors, attack patterns, and relationships.

The authorization bypass in CVE-2026-35210 means that such users can:

  • Override confidence levels on intelligence objects beyond their sanctioned authority, potentially inflating or deflating the perceived reliability of threat data
  • Access or modify object-marked data (e.g., TLP:RED intelligence) without having the corresponding marking grants

This can lead to data integrity issues within a CTI platform, unauthorized disclosure of sensitive intelligence to internal analysts who should not have access, and potential manipulation of threat intelligence shared with partners via STIX/TAXII feeds.

Impact Assessment

While the vulnerability requires authentication and the KNOWLEDGE_KNUPDATE permission (reducing the attack surface to internal users), the impact in a threat intelligence environment is significant:

  • Integrity: Analysts could alter confidence scores on high-fidelity intelligence, degrading the quality of detections built on that data
  • Confidentiality: TLP:RED or partner-restricted intelligence could be accessed by unauthorized personnel
  • Compliance: Organizations sharing intelligence under traffic light protocol (TLP) obligations may face compliance violations

Remediation

Update immediately to OpenCTI version 7.260326.0 or later.

The OpenCTI team has patched the authorization logic to properly enforce Confidence Level and Object Marking restrictions regardless of the KNOWLEDGE_KNUPDATE permission state.

# For Docker-based deployments, pull the latest image
docker pull opencti/platform:7.260326.0
 
# Check current version
docker exec <opencti-container> cat /opt/opencti-build/opencti-platform/opencti-front/package.json | grep '"version"'

Workaround

If immediate patching is not feasible, consider:

  1. Restrict KNOWLEDGE_KNUPDATE to the smallest set of trusted users until the patch is applied
  2. Audit recent confidence level changes and object marking access logs for unauthorized modifications
  3. Segregate high-sensitivity markings (TLP:RED, TLP:AMBER+STRICT) to a separate isolated OpenCTI instance if possible

Detection

Review OpenCTI audit logs for unexpected modifications to confidence levels or object markings by users who should not have those privileges:

  • Look for KNOWLEDGE_KNUPDATE users modifying TLP:RED or TLP:AMBER objects
  • Audit confidence level changes on high-value IoCs, threat actor profiles, and vulnerability entries
  • Cross-reference changes against expected role assignments

References

  • NVD — CVE-2026-35210
  • OpenCTI GitHub Repository
  • OpenCTI Release 7.260326.0 (patch release)
#Vulnerability#CVE#OpenCTI#Authorization Bypass#Threat Intelligence#Security Updates

Related Articles

CVE-2025-55017: Apache IoTDB Critical Path Traversal Vulnerability

Critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.5. Users must upgrade...

4 min read

CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw

A second critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Patch to 1.3.6 or...

5 min read

CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

A critical CVSS 9.9 argument injection vulnerability in WordPress Toolkit before 6.11.0 allows remote authenticated users to bypass cross-tenant...

4 min read
Back to all Security Alerts