CVE-2026-35210: CWE-639: Authorization Bypass Through User-Controlled Key in OpenCTI-Platform opencti
OpenCTI versions prior to 7.260326.0 contain an authorization bypass vulnerability that allows authenticated users with KNOWLEDGE_KNUPDATE permission to bypass confidence level validation and object marking restrictions. By injecting a specific HTTP header, attackers can downgrade confidence levels, remove security markings such as TLP:RED, and manipulate various STIX object types including Indicators, ThreatActors, Malware, and Reports. This vulnerability is fixed in version 7.260326.0.
AI Analysis
Technical Summary
CVE-2026-35210 is an authorization bypass vulnerability in the OpenCTI platform (opencti) affecting versions before 7.260326.0. Authenticated users with the KNOWLEDGE_KNUPDATE permission can inject the 'synchronized-upsert: true' HTTP header to bypass confidence level validation and object marking restrictions. This enables unauthorized modification of confidence levels, removal of security markings like TLP:RED, and manipulation of relationships and STIX object types such as Indicators, ThreatActors, Malware, and Reports. The vulnerability is addressed in version 7.260326.0.
Potential Impact
An attacker with authenticated access and KNOWLEDGE_KNUPDATE permission can bypass critical authorization controls, allowing them to downgrade confidence levels and remove security markings that are intended to protect sensitive threat intelligence data. This can lead to manipulation of threat intelligence objects, potentially undermining the integrity and trustworthiness of the data used for cybersecurity operations. The impact includes confidentiality loss (partial), integrity compromise (high), and no availability impact.
Mitigation Recommendations
Upgrade OpenCTI to version 7.260326.0 or later, where this authorization bypass vulnerability is fixed. No other official remediation or temporary fixes are indicated. Until the upgrade, restrict KNOWLEDGE_KNUPDATE permissions to trusted users only.
CVE-2026-35210: CWE-639: Authorization Bypass Through User-Controlled Key in OpenCTI-Platform opencti
Description
OpenCTI versions prior to 7.260326.0 contain an authorization bypass vulnerability that allows authenticated users with KNOWLEDGE_KNUPDATE permission to bypass confidence level validation and object marking restrictions. By injecting a specific HTTP header, attackers can downgrade confidence levels, remove security markings such as TLP:RED, and manipulate various STIX object types including Indicators, ThreatActors, Malware, and Reports. This vulnerability is fixed in version 7.260326.0.
CVSS v3.1
Score 7.1high
Affected software
pkg:github/opencti-platform/openctiRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35210 is an authorization bypass vulnerability in the OpenCTI platform (opencti) affecting versions before 7.260326.0. Authenticated users with the KNOWLEDGE_KNUPDATE permission can inject the 'synchronized-upsert: true' HTTP header to bypass confidence level validation and object marking restrictions. This enables unauthorized modification of confidence levels, removal of security markings like TLP:RED, and manipulation of relationships and STIX object types such as Indicators, ThreatActors, Malware, and Reports. The vulnerability is addressed in version 7.260326.0.
Potential Impact
An attacker with authenticated access and KNOWLEDGE_KNUPDATE permission can bypass critical authorization controls, allowing them to downgrade confidence levels and remove security markings that are intended to protect sensitive threat intelligence data. This can lead to manipulation of threat intelligence objects, potentially undermining the integrity and trustworthiness of the data used for cybersecurity operations. The impact includes confidentiality loss (partial), integrity compromise (high), and no availability impact.
Mitigation Recommendations
Upgrade OpenCTI to version 7.260326.0 or later, where this authorization bypass vulnerability is fixed. No other official remediation or temporary fixes are indicated. Until the upgrade, restrict KNOWLEDGE_KNUPDATE permissions to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T18:48:58.937Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4ebdf5c9d9e3dbe3bf8aee
Added to database: 07/08/2026, 21:15:33 UTC
Last enriched: 07/08/2026, 21:28:43 UTC
Last updated: 07/09/2026, 01:44:36 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.