PatchSiren cyber security CVE debrief
CVE-2026-35210 OpenCTI-Platform CVE debrief
CVE-2026-35210 is an authorization bypass vulnerability in OpenCTI, allowing any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions by injecting the synchronized-upsert: true HTTP header. This enables attackers to downgrade confidence levels, remove security markings such as TLP:RED, manipulate relationships, and affect STIX object types including Indicators, ThreatActors, Malware, and Reports. The issue is fixed in version 7.260326.0. Users of OpenCTI should be aware of this vulnerability and take immediate action to upgrade or apply necessary patches.
- Vendor
- OpenCTI-Platform
- Product
- opencti
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of OpenCTI platform, especially those with authenticated access and KNOWLEDGE_KNUPDATE permission, should be aware of this vulnerability and take immediate action to upgrade to version 7.260326.0 or apply necessary patches. This includes OpenCTI operators, platform administrators, vulnerability management teams, and security teams who need to assess and mitigate this vulnerability.
Technical summary
The vulnerability exists in OpenCTI platform prior to version 7.260326.0. An authenticated user with KNOWLEDGE_KNUPDATE permission can inject the synchronized-upsert: true HTTP header to bypass Confidence Level validation and Object Marking restrictions. This allows for unauthorized actions such as downgrading confidence levels, removing security markings, and manipulating relationships between STIX objects, including Indicators, ThreatActors, Malware, and Reports.
Defensive priority
High
Recommended defensive actions
- Upgrade OpenCTI to version 7.260326.0 or later
- Restrict KNOWLEDGE_KNUPDATE permission to only necessary users
- Monitor and audit user activities for suspicious behavior
- Implement additional security measures to protect against unauthorized access
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T21:16:48.487Z and was last modified on 2026-07-10T19:03:20.407Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the specific details of this vulnerability, and defenders should verify the affected scope and severity with the vendor. The synchronized-upsert: true HTTP header injection allows for unauthorized actions, including confidence level downgrades and security marking removals.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:48.487Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.