OpenCTI: Elasticsearch Painless Script Injection via GraphQL `script` filter operator allows authenticated user to exfiltrate data and cause DoS
Summary
| CVE | CVE-2026-35211 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 21:16:48 UTC |
| Updated | 2026-07-08 21:16:48 UTC |
| Description | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated user with the KNOWLEDGE capability to pass user-supplied Elasticsearch Painless script values directly into search queries without validation or sanitization, allowing computationally expensive scripts to consume cluster CPU resources and degrade or deny service for all users. This issue is fixed in version 7.260401.0. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-94 | CWE-863 | CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection') | CWE-863 CWE-863: Incorrect Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenCTI-Platform | Opencti | affected < 7.260401.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/OpenCTI-Platform/opencti/releases/tag/7.260401.0 | [email protected] | github.com | |
| github.com/OpenCTI-Platform/opencti/commit/b134ccedf9e68386723cb42197f8e... | [email protected] | github.com | |
| github.com/OpenCTI-Platform/opencti/pull/15284 | [email protected] | github.com | |
| github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-qpp6-p693-rmm4 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.