PatchSiren cyber security CVE debrief

CVE-2026-44730 OpenCTI-Platform CVE debrief

## Summary CVE-2026-44730 is a HIGH severity (CVSS 7.2) privilege-escalation vulnerability in OpenCTI, an open-source cyber-threat-intelligence platform. Prior to version 6.9.7, an organization administrator can escalate their own privileges by adding a user from a different organization who already holds higher privileges. The root cause is an incorrect access-control list (ACL) on the `userEdit` → `relationAdd` operation. ## Affected Product | Field | Value | |-------|-------| | Product | OpenCTI | | Vendor | OpenCTI-Platform (GitHub) | | Affected versions | < 6.9.7 | | Fixed version | 6.9.7 | ## Technical Details The flaw resides in the authorization logic that governs the `relationAdd` mutation when editing a user (`userEdit`). An organization admin with limited scope can invoke this mutation to associate a user from another organization into their own organization. If that external user possesses broader or higher-level privileges (e.g., platform-wide admin rights), the requesting admin effectively inherits those capabilities, resulting in horizontal-to-vertical privilege escalation. The underlying weakness is categorized as **CWE-284: Improper Access Control**. ## CVSS 3.1 Vector `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` * **Attack Vector (AV):** Network – exploitable remotely. * **Attack Complexity (AC):** Low – no special conditions required. * **Privileges Required (PR):** High – attacker must already hold an organization-admin role. * **User Interaction (UI):** None – no victim interaction needed. * **Scope (S):** Unchanged – impact remains within the vulnerable authorization boundary. * **Confidentiality, Integrity, Availability (C/I/A):** High – full compromise of platform data and operations possible post-escalation. ## Timeline | Event | Date (UTC) | |-------|------------| | CVE published | 2026-05-26 18:16:51 | | CVE last modified | 2026-05-26 20:26:21 | ## Recommended Actions 1. **Upgrade immediately** to OpenCTI 6.9.7 or later. 2. **Audit organization membership changes** in logs for any suspicious `relationAdd` operations on `userEdit` prior to patching. 3. **Review ACL policies** for user-management mutations to ensure cross-

Vendor: OpenCTI-Platform
Product: opencti
CVSS: HIGH 7.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-27
Advisory published: 2026-05-26
Advisory updated: 2026-05-27

Who should care

OpenCTI administrators, SOC teams using OpenCTI for threat-intelligence management, and security auditors reviewing multi-tenant CTI platforms.

Technical summary

Incorrect ACL on userEdit relationAdd allows organization admins to add higher-privileged users from other organizations, achieving privilege escalation. Fixed in 6.9.7.

Defensive priority

HIGH

Recommended defensive actions

Upgrade to OpenCTI 6.9.7 or later
Audit organization membership changes in logs for suspicious relationAdd operations on userEdit prior to patching
Review ACL policies for user-management mutations to ensure cross-organization user associations require appropriate authorization checks

Evidence notes

Vulnerability description and fix version derived from official GitHub Security Advisory GHSA-q537-qhj4-wcjx. CVSS vector and CWE-284 classification sourced from NVD record. Timeline dates reflect CVE.org and NVD published/modified timestamps.

Official resources

CVE-2026-44730 CVE record
CVE.org
CVE-2026-44730 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory

2026-05-26