CVE-2026-39980: OpenCTI Remote Code Execution

Overview

A critical server-side template injection vulnerability, identified as CVE-2026-39980, affects the OpenCTI threat intelligence platform. The flaw resides in the safeEjs.ts file, which fails to properly sanitize EJS templates. This allows an authenticated attacker with the ‘Manage customization’ capability to execute arbitrary JavaScript code in the context of the OpenCTI server process.

Vulnerability Details

OpenCTI versions prior to 6.9.5 are vulnerable. The issue is triggered when a user with the specific ‘Manage customization’ permission creates or edits a notifier template. Due to insufficient input sanitization, malicious JavaScript embedded within the template is executed on the server side when the notifier runs. This occurs because the platform’s safeEjs function does not adequately restrict the execution context.

The CVSS v3.1 base score is 9.1 (CRITICAL). While the attack vector is network-based and requires no user interaction, the attacker must possess high-privilege credentials (the ‘Manage customization’ capability). The attack complexity is low, making exploitation straightforward for a malicious insider or an attacker who has compromised a privileged account.

Impact

Successful exploitation leads to remote code execution (RCE) on the host running the OpenCTI platform. An attacker could fully compromise the server, leading to data theft, modification or deletion of threat intelligence data, installation of malware, or use of the server as a pivot point into the broader network. This could severely undermine an organization’s security operations and integrity of its threat intelligence.

Remediation and Mitigation

The primary and definitive remediation is to upgrade OpenCTI to version 6.9.5 or later, where this vulnerability has been fixed.

Immediate Actions:

1. Patch: Upgrade all OpenCTI instances to version 6.9.5 immediately. Review the official OpenCTI release notes for upgrade instructions.
2. Audit Access: Review and audit user accounts assigned the ‘Manage customization’ capability. Ensure this high-privilege role is granted only on a strict need-to-know basis.
3. Monitor: Until patching is complete, monitor logs for any unusual activity related to notifier creation or template modification.

For the latest on data breaches that can inform threat intelligence, you can review breach reports. Stay updated on emerging threats via our security news coverage.

Security Insight

This vulnerability highlights the persistent risk of server-side injection flaws in modern web applications, even within security-focused platforms. It echoes past incidents in other tools where excessive trust in authenticated user input led to RCE. The requirement for a specific high-level permission does not diminish the threat, as it creates a perfect vector for a malicious insider or a post-exploitation action following an initial account compromise, underscoring the need for robust input validation at every trust boundary.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs