Overview
A high-severity authorization bypass vulnerability has been disclosed in OpenCTI, the popular open-source cyber threat intelligence (CTI) platform. Tracked as CVE-2026-35210 with a CVSS score of 7.1, the flaw allows any authenticated user holding the KNOWLEDGE_KNUPDATE permission to bypass two critical security controls:
- Confidence Level validation — which governs the reliability rating applied to threat intelligence objects
- Object Marking restrictions — which control access to classified or restricted intelligence data (e.g., TLP:RED, TLP:AMBER)
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| OpenCTI | All versions prior to 7.260326.0 | 7.260326.0 |
Vulnerability Details
OpenCTI uses a role-based access control (RBAC) model with fine-grained permission sets. The KNOWLEDGE_KNUPDATE permission is commonly assigned to analysts who need to update threat intelligence entries — such as indicators of compromise (IoCs), threat actors, attack patterns, and relationships.
The authorization bypass in CVE-2026-35210 means that such users can:
- Override confidence levels on intelligence objects beyond their sanctioned authority, potentially inflating or deflating the perceived reliability of threat data
- Access or modify object-marked data (e.g., TLP:RED intelligence) without having the corresponding marking grants
This can lead to data integrity issues within a CTI platform, unauthorized disclosure of sensitive intelligence to internal analysts who should not have access, and potential manipulation of threat intelligence shared with partners via STIX/TAXII feeds.
Impact Assessment
While the vulnerability requires authentication and the KNOWLEDGE_KNUPDATE permission (reducing the attack surface to internal users), the impact in a threat intelligence environment is significant:
- Integrity: Analysts could alter confidence scores on high-fidelity intelligence, degrading the quality of detections built on that data
- Confidentiality: TLP:RED or partner-restricted intelligence could be accessed by unauthorized personnel
- Compliance: Organizations sharing intelligence under traffic light protocol (TLP) obligations may face compliance violations
Remediation
Update immediately to OpenCTI version 7.260326.0 or later.
The OpenCTI team has patched the authorization logic to properly enforce Confidence Level and Object Marking restrictions regardless of the KNOWLEDGE_KNUPDATE permission state.
# For Docker-based deployments, pull the latest image
docker pull opencti/platform:7.260326.0
# Check current version
docker exec <opencti-container> cat /opt/opencti-build/opencti-platform/opencti-front/package.json | grep '"version"'Workaround
If immediate patching is not feasible, consider:
- Restrict
KNOWLEDGE_KNUPDATEto the smallest set of trusted users until the patch is applied - Audit recent confidence level changes and object marking access logs for unauthorized modifications
- Segregate high-sensitivity markings (TLP:RED, TLP:AMBER+STRICT) to a separate isolated OpenCTI instance if possible
Detection
Review OpenCTI audit logs for unexpected modifications to confidence levels or object markings by users who should not have those privileges:
- Look for
KNOWLEDGE_KNUPDATEusers modifying TLP:RED or TLP:AMBER objects - Audit confidence level changes on high-value IoCs, threat actor profiles, and vulnerability entries
- Cross-reference changes against expected role assignments
References
- NVD — CVE-2026-35210
- OpenCTI GitHub Repository
- OpenCTI Release 7.260326.0 (patch release)