OpenCTI Critical Auth Bypass: Unauthenticated API Access Threatens CTI Platforms
The National Vulnerability Database has identified CVE-2026-27960, a critical privilege escalation flaw in OpenCTI versions 6.6.0 through 6.9.12. This vulnerability allows unauthenticated attackers to query the API as any user, including the default administrator. The potential for complete system compromise is significant, as attackers could manipulate threat intelligence data or exfiltrate sensitive information.
This flaw represents a direct threat to organizations relying on OpenCTI for managing their cyber threat intelligence. A successful exploitation bypasses all authentication mechanisms, granting attackers the highest level of access. The National Vulnerability Database notes that the issue is fixed in version 6.9.13, and a workaround involves disabling the default administrator account via the APP__ADMIN__EXTERNALLY_MANAGED configuration setting.
What This Means For You
- If your organization uses OpenCTI, immediately verify your version and patch to 6.9.13 or later. If patching is not feasible, implement the `APP__ADMIN__EXTERNALLY_MANAGED` workaround to disable the default administrator account and prevent unauthenticated access.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-27960 - OpenCTI Unauthenticated API Access for User Enumeration
title: CVE-2026-27960 - OpenCTI Unauthenticated API Access for User Enumeration
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
This rule detects attempts to access the OpenCTI API endpoint for user information without authentication. CVE-2026-27960 allows unauthenticated attackers to query the API as any existing user, including the default admin. This specific URI pattern is indicative of an attacker attempting to enumerate users or bypass authentication by exploiting this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-27960/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/user'
cs-method:
- 'GET'
sc-status:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-27960 | Vulnerability | CVE-2026-27960 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
D-Link DI-8100 Router Vulnerable to Remote Buffer Overflow (CVE-2026-7857)
CVE-2026-7857 — A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI...
D-Link DI-8100 Buffer Overflow (CVE-2026-7856) Exposes Web Management
CVE-2026-7856 — A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management...
ProFTPD SQL Injection (CVE-2026-44331) Exposes Servers to Remote Attacks
CVE-2026-44331 — In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands...