External risk intelligence

OpenCTI allows attackers to control any user account, including admin.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-27960

An unauthenticated flaw in OpenCTI lets attackers access any user account, including administrators, through its API. This critical vulnerability poses a significant risk to sensitive cyber threat intelligence data.

4Halo Surface Signal

Authentication Bypass

Citeum Opencti

6.9.0 to before 6.9.13

External exposure likelihood

Halo Surface Signal score for CVE-2026-27960

This vulnerability affects an API-driven web platform. These systems are designed to function as centralized web services, typically deployed as APIs or web-accessible management interfaces. Their architectural role in managing data integrations and supporting user access means they are often reachable via network interfaces in standard deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated privilege escalation vulnerability in OpenCTI allows attackers to query the API as any user, including the default administrator. This could lead to unauthorized access and control of sensitive cyber threat intelligence data.

  • Attackers can impersonate users.
  • Sensitive intelligence data is at risk.
  • Affects systems reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this flaw by directly interacting with the OpenCTI API to impersonate any existing user. This allows them to gain elevated privileges, potentially including access to the default administrator account.

  • Target the API endpoint.
  • No authentication required.
  • Access as any user.

Live Threat

Current exploitation, exposure, and threat context

This privilege escalation vulnerability in OpenCTI allows unauthenticated attackers to impersonate any user via the API. Given its Critical severity and broad impact, attackers will likely find this attractive for initial access or lateral movement, especially given the lack of authentication requirements. While not yet listed as a KEV, the ease of exploitation and potential for significant compromise makes it a notable threat.

  • Affects API-driven web platforms.
  • Exploitable by unauthenticated attackers.
  • No KEV listing, but high impact.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching OpenCTI to version 6.9.13 or higher immediately, as this critical vulnerability allows unauthenticated attackers to escalate privileges to the administrator level. If immediate patching is not feasible, implement the provided workaround to disable external management of the default admin account.

  • Upgrade to OpenCTI 6.9.13.
  • Disable default admin via configuration.
  • Monitor API logs for suspicious queries.

Frequently asked questions

What is OpenCTI and what is it used for?

OpenCTI is an open-source platform designed for managing and organizing cyber threat intelligence. It helps users collect, store, and share information about cyber threats and their associated data, like indicators of compromise, to better understand and defend against malicious activities.

What kind of weakness does CVE-2026-27960 represent?

CVE-2026-27960 is a privilege escalation vulnerability, specifically categorized under CWE-287, which deals with improper authentication. This means an attacker can exploit a flaw to gain higher privileges than they are normally entitled to, allowing them to act as a more powerful user.

How could an attacker exploit this CVE-2026-27960 vulnerability?

An attacker could exploit this vulnerability by sending specific queries to the OpenCTI API without needing any prior authentication. This allows them to access the system as if they were any existing user, including the default administrator account, without needing valid login credentials.

Who should be concerned about this CVE-2026-27960 threat?

Organizations using OpenCTI, particularly those with internet-facing deployments, should be concerned. Because the vulnerability is exploitable via the API without authentication, and the platform is designed as a web service, it is classified as an external threat.

What is the first step to address this OpenCTI vulnerability?

The primary immediate action is to update OpenCTI to version 6.9.13 or a later release. If updating is not possible right away, a workaround involves disabling the default administrator account through specific configuration settings to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified