What Happened

A critical security vulnerability identified as CVE-2026-39980 has been discovered within OpenCTI, a well-regarded open source platform for managing cyber threat intelligence knowledge and observables. The vulnerability was reported in versions prior to 6.9.5. The issue was pinpointed to stem from improper sanitization processes within the safeEjs.ts file. This flaw is exploited when users with the 'Manage customization' capability execute notifier templates, inadvertently enabling the execution of arbitrary JavaScript code within the scope of the OpenCTI platform process. This has created a substantial risk within affected installations of OpenCTI, prompting rapid security advisories and the subsequent release of a patched version.

Addressing this serious concern, the maintainers of OpenCTI have released version 6.9.5, effectively mitigating the vulnerability. Organizations utilizing the OpenCTI platform are urged to upgrade immediately to safeguard their systems.

Technical Details

CVE-2026-39980 is characterized as an improper input validation vulnerability with a CVSS score of 9.1, indicating its high severity. The vulnerability resides in the safeEjs.ts file, which fails to properly sanitize Embedded JavaScript (EJS) templates. This coding oversight permits an attacker with 'Manage customization' privileges on the platform to inject and execute arbitrary JavaScript within the application's execution context.

This attack vector is accessible only to users with specific administrative capabilities within the OpenCTI platform, thus restricting potential exploit scenarios to internal actors or external attackers who have already compromised an account with adequate permissions. The nature of this vulnerability can potentially enable remote code execution (RCE), granting attackers the ability to manipulate system behavior, access sensitive data, or disrupt service availability.

Version 6.9.5 of OpenCTI includes a fix for this vulnerability by implementing comprehensive sanity checks and input validation measures within the EJS template handling process, effectively blocking the identified attack vector.

Impact

The criticality of CVE-2026-39980 primarily affects deployments of OpenCTI on enterprise systems. Organizations relying on OpenCTI for their threat intelligence and analysis functions are at particular risk. Successful exploitation could lead to significant security breaches, allowing attackers to execute arbitrary code and potentially gain control of compromised systems.

The adoption of the compromised OpenCTI versions in threat intelligence workflows could lead to the leakage or unauthorized modification of highly sensitive threat data, ultimately undermining the integrity of intelligence efforts and exposing the organization to further security threats.

What To Do

  • Upgrade Immediately: Ensure all instances of OpenCTI are updated to version 6.9.5 or later, as this version contains the necessary patches to mitigate CVE-2026-39980.
  • Review User Permissions: Conduct a thorough review of user accounts with 'Manage customization' capabilities and restrict this access to only essential personnel.
  • Monitor for Suspicious Activity: Establish logging and monitoring mechanisms to detect any attempts of exploitation, focusing on the execution of suspicious JavaScript code in notifier templates.
  • Implement Network Segmentation: Isolate the OpenCTI platform within segmented network zones to minimize potential impact in case of exploitation.

The immediate attention to this vulnerability within OpenCTI is crucial for maintaining operational security. By applying the appropriate update and implementing diligent access control measures, organizations can significantly mitigate the associated risks and protect their cyber threat intelligence assets.