Introduction
An authentication bypass in OpenCTI's API allows any unauthenticated remote attacker to impersonate existing users, including the default administrator, and execute arbitrary API queries with their full privileges. For organizations relying on OpenCTI to manage sensitive cyber threat intelligence, this vulnerability exposes the entire knowledge base, all observables, and platform configuration to unauthorized access and manipulation.
OpenCTI is an open source cyber threat intelligence platform developed by Filigran that enables security teams to structure, store, and operationalize threat intelligence data. It is widely adopted across government agencies, MSSPs, and enterprise SOCs as a central hub for CTI workflows, integrating with tools like MISP, TheHive, and various SIEM platforms. Its role as a repository for sensitive threat data and indicators of compromise makes any authentication bypass particularly consequential.
Technical Information
The root cause of CVE-2026-27960 is an Improper Authentication weakness (CWE-287) within the OpenCTI API. The flaw allows unauthenticated attackers to completely bypass the platform's authentication mechanisms and execute API queries in the context of any user that exists in the system. When the default admin account is active, which is the case in standard installations, an attacker can trivially escalate to full administrative control over the entire threat intelligence platform.
CVSS Breakdown
The CVSS v3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, producing a 9.8 Critical score. Each metric contributes to the severity:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely |
| Attack Complexity (AC) | Low | No special conditions required |
| Privileges Required (PR) | None | Unauthenticated access |
| User Interaction (UI) | None | Automated exploitation possible |
| Confidentiality (C) | High | Full data exposure |
| Integrity (I) | High | Data manipulation possible |
| Availability (A) | High | Service disruption possible |
Attack Flow
Based on the advisory details, exploitation follows this general sequence:
- An attacker identifies a network accessible OpenCTI instance running a vulnerable version (6.6.0 through 6.9.12).
- The attacker crafts unauthenticated API requests that exploit the authentication bypass to impersonate an existing user.
- By targeting the default admin account, the attacker gains full read and write access to all threat intelligence data, platform configuration, user management, and any integrated feeds or connectors.
- With administrative API access, the attacker can exfiltrate sensitive threat intelligence, modify or delete observables and indicators, create new accounts for persistence, or disrupt platform operations entirely.
The combination of no authentication requirement, low complexity, and no user interaction means this vulnerability is well suited for automated scanning and exploitation at scale.
Mitigation
The only complete resolution is to upgrade OpenCTI to version 6.9.13 or later.
As an interim measure, administrators can disable the default admin account by setting the APP__ADMIN__EXTERNALLY_MANAGED configuration option. The official advisory explicitly notes that this is a partial workaround only: the underlying authentication bypass remains, and other user accounts in the system can still be impersonated. Administrators should verify their configuration state after applying this workaround and treat the upgrade as the definitive fix.
Affected Systems and Versions
The vulnerability affects OpenCTI versions greater than or equal to 6.6.0 and less than 6.9.13. Specifically:
- Vulnerable range: versions 6.6.0 through 6.9.12
- Fixed version: 6.9.13
Any OpenCTI deployment within the vulnerable version range that exposes its API to the network is at risk. Instances with the default admin account enabled (the default configuration) are at the highest risk of full platform compromise.
