PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35210 OpenCTI-Platform CVE debrief

CVE-2026-35210 is an authorization bypass vulnerability in OpenCTI, allowing any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header. This enables attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. The issue is fixed in version 7.260326.0. Users of OpenCTI should be aware of this vulnerability and take immediate action to upgrade or apply necessary patches.

Vendor
OpenCTI-Platform
Product
opencti
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of OpenCTI platform, especially those with authenticated access and KNOWLEDGE_KNUPDATE permission, should be aware of this vulnerability and take immediate action to upgrade to version 7.260326.0 or apply necessary patches. This includes OpenCTI operators, platform administrators, vulnerability management teams, and security teams who need to assess and mitigate this vulnerability.

Technical summary

The vulnerability exists in OpenCTI platform prior to version 7.260326.0. An authenticated user with KNOWLEDGE_KNUPDATE permission can inject the synchronized-upsert: true HTTP header to bypass Confidence Level validation and Object Marking restrictions. This allows for unauthorized actions such as downgrading confidence levels, removing security markings, and manipulating relationships between STIX objects, including Indicators, ThreatActors, Malware, and Reports.

Defensive priority

High

Recommended defensive actions

  • Upgrade OpenCTI to version 7.260326.0 or later
  • Restrict KNOWLEDGE_KNUPDATE permission to only necessary users
  • Monitor and audit user activities for suspicious behavior
  • Implement additional security measures to protect against unauthorized access
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T21:16:48.487Z and was last modified on 2026-07-10T19:03:20.407Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the specific details of this vulnerability, and defenders should verify the affected scope and severity with the vendor. The synchronized-upsert: true HTTP header injection allows for unauthorized actions, including confidence level downgrades and security marking removals.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:48.487Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.