PatchSiren cyber security CVE debrief
CVE-2026-35211 OpenCTI-Platform CVE debrief
CVE-2026-35211 is a vulnerability in the OpenCTI GraphQL API that allows authenticated users with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization. This can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all users. The issue is fixed in version 7.260401.0. Affected product deployments should be reviewed for exposure.
- Vendor
- OpenCTI-Platform
- Product
- opencti
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of OpenCTI platform, particularly those with the KNOWLEDGE capability, should be aware of this vulnerability and take steps to mitigate it by reviewing relevant monitoring, detection, and logs for exposed assets that need extra review to ensure thorough vulnerability management. They should also confirm whether affected product deployments exist in managed environments and assign an owner for follow-up to ensure accountability and timely resolution.
Technical summary
The OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization. This can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all users. The issue is fixed in version 7.260401.0. Affected product deployments should be reviewed for exposure, and defenders should focus on upgrading to OpenCTI version 7.260401.0 or later and restricting access to the GraphQL API for users with the KNOWLEDGE capability.
Defensive priority
Medium priority due to the potential for denial of service and the required authentication. Defenders should focus on upgrading to OpenCTI version 7.260401.0 or later and restricting access to the GraphQL API for users with the KNOWLEDGE capability. Compensating controls and monitoring are also recommended to mitigate potential impacts while remediation is scheduled and verified. Additionally, tracking exceptions and retesting remediated assets are crucial steps in the defensive process. Review relevant monitoring, detection, and logs for exposed assets that need extra review to ensure thorough vulnerability management. Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up to ensure accountability and timely resolution. Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed to minimize operational disruptions. Check for source-grounded technical framing and evidence limits to validate the vulnerability's impact and required defensive measures. This vulnerability has a CVSS score of 6.5 and a MEDIUM severity level, emphasizing the need for prompt attention and mitigation to prevent potential service degradation or denial. Users of OpenCTI platform, particularly those with the KNOWLEDGE capability, should be aware of this vulnerability and take steps to mitigate it by following the recommended actions and staying informed about the vulnerability's details and impacts through reliable sources like CVE.org and NVD. The CVE record and NVD entry provide critical information for understanding and addressing this vulnerability effectively. Therefore, it is essential to review these sources and implement necessary defensive measures to protect against potential exploitation. The OpenCTI GraphQL API's exposure of a script filter operator in its FilterOperator enum allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, which can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all. To
Recommended defensive actions
- Upgrade to OpenCTI version 7.260401.0 or later
- Restrict access to the GraphQL API for users with the KNOWLEDGE capability
- Monitor for suspicious activity and implement compensating controls
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T21:16:48.630Z and was last modified on 2026-07-10T16:16:29.243Z. The NVD entry is currently MEDIUM. This vulnerability affects OpenCTI platform users with the KNOWLEDGE capability. Evidence limits suggest verifying affected product deployments and validating vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:48.630Z and has not been modified since then. The NVD entry is currently MEDIUM.