CVE-2026-35212 Overview
CVE-2026-35212 is a stored cross-site scripting (XSS) vulnerability in OpenCTI, an open source cyber threat intelligence (CTI) platform. The flaw exists in how the platform renders the body field of email-message observables. OpenCTI fails to sanitize this content before rendering, allowing an attacker to inject executable script. Exploitation requires user interaction, but the malicious payload can be delivered through shared STIX bundles or any of the platform ingesters. Successful exploitation can lead to cross-site request forgery (CSRF) and large-scale session theft against analysts viewing the affected observable. Versions prior to 7.260227.0 are affected, and 7.260227.0 contains the fix.
Critical Impact
An attacker can inject script into email-message observables shared via STIX or ingesters, enabling CSRF and session theft against OpenCTI analysts who view the content.
Affected Products
- OpenCTI versions prior to 7.260227.0
- OpenCTI deployments ingesting third-party STIX bundles
- OpenCTI instances with any configured ingester processing email-message observables
Discovery Timeline
- 2026-06-02 - CVE-2026-35212 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-35212
Vulnerability Analysis
The vulnerability is a stored XSS issue classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. OpenCTI stores email-message observables as part of its STIX 2.1 data model. The body field of these observables holds the raw message content. When an analyst opens the observable in the OpenCTI web interface, the platform renders the body value without escaping HTML or filtering script content. Any markup placed in that field, including <script> tags and event handler attributes, executes in the analyst's authenticated browser session.
Because OpenCTI ingests data from external feeds, connectors, and shared STIX bundles, the attacker does not need a direct account on the target instance. A poisoned observable propagated through a trusted feed reaches every downstream platform that ingests it. Once an analyst views the observable, the script runs with that user's session privileges, enabling CSRF against the OpenCTI API and theft of session material.
Root Cause
The root cause is missing output encoding on the body attribute of email-message observables during front-end rendering. The application treats untrusted observable content as safe HTML rather than escaping it as text.
Attack Vector
The attack vector is network-based with required user interaction. An attacker crafts an email-message observable containing a script payload, then delivers it through any STIX-compatible channel, including direct sharing, TAXII feeds, or other connectors and ingesters. Exploitation triggers when an analyst opens the observable in the OpenCTI UI. See the OpenCTI GitHub Security Advisory for vendor-confirmed details.
Detection Methods for CVE-2026-35212
Indicators of Compromise
- Email-message observables whose body field contains HTML tags, <script> elements, or on* event handler attributes
- Unexpected outbound requests from analyst browsers to attacker-controlled hosts shortly after opening an observable
- OpenCTI audit logs showing unexpected API calls performed under an analyst account immediately after observable views
Detection Strategies
- Query the OpenCTI database or API for email-message observables and flag entries where body contains <, >, javascript:, or on event handler patterns
- Inspect ingester and connector logs for STIX bundles containing email-message objects with HTML or script content in the body field
- Monitor web proxy and DNS logs for analyst workstation connections to unfamiliar domains following CTI platform usage
Monitoring Recommendations
- Enable and centralize OpenCTI access logs, including observable view events and API authentication events
- Apply a strict Content Security Policy (CSP) in front of the OpenCTI UI and alert on CSP violation reports
- Track new or modified email-message observables introduced by external feeds for manual review prior to analyst access
How to Mitigate CVE-2026-35212
Immediate Actions Required
- Upgrade OpenCTI to version 7.260227.0 or later, which contains the official fix
- Audit existing email-message observables for HTML or script content and quarantine or sanitize any matches
- Temporarily pause untrusted ingesters and STIX feeds until the upgrade is in place
Patch Information
OpenCTI version 7.260227.0 remediates CVE-2026-35212 by sanitizing the body field of email-message observables before rendering. Refer to the OpenCTI GitHub Security Advisory GHSA-rg6r-x26x-63vq for the official patch reference.
Workarounds
- Restrict ingestion to trusted, vetted STIX sources until the patch is applied
- Enforce a restrictive Content Security Policy disallowing inline scripts on the OpenCTI front end
- Limit analyst account privileges so that any CSRF executed via XSS has reduced impact on the platform
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
