EXECUTIVE SUMMARY:
CVE-2026-44730 with a CVSS score of 7.2 is a privilege‑escalation flaw in the OpenCTI platform that affects all versions prior to the next released patch. The vulnerability stems from an incorrectly configured access‑control list on the GraphQL `userEdit` relation, which permits an organization administrator to invoke the `addUser` mutation and associate a user from a different organization that holds higher privileges, effectively granting the admin the same elevated rights within the target organization. Exploitation requires only network‑remote access to the GraphQL endpoint and the attacker must already possess valid administrator credentials for any organization in the OpenCTI instance; no additional user interaction or elevated privileges are needed. Once abused, the attacker gains full platform access, including the ability to read, modify, or delete sensitive threat intelligence data and proprietary information across organizations. The business impact can be severe, as compromised data confidentiality, integrity, and availability may lead to loss of competitive advantage, regulatory penalties, and damage to stakeholder trust. Exploitation is contingent on the presence of the vulnerable GraphQL API and the lack of proper ACL enforcement for cross‑organization user edits.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44730 with a CVSS score of 7.2 is a privilege‑escalation flaw in the OpenCTI platform that affects all versions prior to the next released patch. The vulnerability stems from an incorrectly configured access‑control list on the GraphQL `userEdit` relation, which permits an organization administrator to invoke the `addUser` mutation and associate a user from a different organization that holds higher privileges, effectively granting the admin the same elevated rights within the target organization. Exploitation requires only network‑remote access to the GraphQL endpoint and the attacker must already possess valid administrator credentials for any organization in the OpenCTI instance; no additional user interaction or elevated privileges are needed. Once abused, the attacker gains full platform access, including the ability to read, modify, or delete sensitive threat intelligence data and proprietary information across organizations. The business impact can be severe, as compromised data confidentiality, integrity, and availability may lead to loss of competitive advantage, regulatory penalties, and damage to stakeholder trust. Exploitation is contingent on the presence of the vulnerable GraphQL API and the lack of proper ACL enforcement for cross‑organization user edits.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]