PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35211 OpenCTI-Platform CVE debrief

CVE-2026-35211 is a vulnerability in the OpenCTI GraphQL API that allows authenticated users with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization. This can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all users. The issue is fixed in version 7.260401.0. Affected product deployments should be reviewed for exposure.

Vendor
OpenCTI-Platform
Product
opencti
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of OpenCTI platform, particularly those with the KNOWLEDGE capability, should be aware of this vulnerability and take steps to mitigate it by reviewing relevant monitoring, detection, and logs for exposed assets that need extra review to ensure thorough vulnerability management. They should also confirm whether affected product deployments exist in managed environments and assign an owner for follow-up to ensure accountability and timely resolution.

Technical summary

The OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization. This can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all users. The issue is fixed in version 7.260401.0. Affected product deployments should be reviewed for exposure, and defenders should focus on upgrading to OpenCTI version 7.260401.0 or later and restricting access to the GraphQL API for users with the KNOWLEDGE capability.

Defensive priority

Medium priority due to the potential for denial of service and the required authentication. Defenders should focus on upgrading to OpenCTI version 7.260401.0 or later and restricting access to the GraphQL API for users with the KNOWLEDGE capability. Compensating controls and monitoring are also recommended to mitigate potential impacts while remediation is scheduled and verified. Additionally, tracking exceptions and retesting remediated assets are crucial steps in the defensive process. Review relevant monitoring, detection, and logs for exposed assets that need extra review to ensure thorough vulnerability management. Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up to ensure accountability and timely resolution. Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed to minimize operational disruptions. Check for source-grounded technical framing and evidence limits to validate the vulnerability's impact and required defensive measures. This vulnerability has a CVSS score of 6.5 and a MEDIUM severity level, emphasizing the need for prompt attention and mitigation to prevent potential service degradation or denial. Users of OpenCTI platform, particularly those with the KNOWLEDGE capability, should be aware of this vulnerability and take steps to mitigate it by following the recommended actions and staying informed about the vulnerability's details and impacts through reliable sources like CVE.org and NVD. The CVE record and NVD entry provide critical information for understanding and addressing this vulnerability effectively. Therefore, it is essential to review these sources and implement necessary defensive measures to protect against potential exploitation. The OpenCTI GraphQL API's exposure of a script filter operator in its FilterOperator enum allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, which can lead to computationally expensive scripts consuming cluster CPU resources and degrading or denying service for all. To

Recommended defensive actions

  • Upgrade to OpenCTI version 7.260401.0 or later
  • Restrict access to the GraphQL API for users with the KNOWLEDGE capability
  • Monitor for suspicious activity and implement compensating controls
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T21:16:48.630Z and was last modified on 2026-07-10T16:16:29.243Z. The NVD entry is currently MEDIUM. This vulnerability affects OpenCTI platform users with the KNOWLEDGE capability. Evidence limits suggest verifying affected product deployments and validating vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:48.630Z and has not been modified since then. The NVD entry is currently MEDIUM.