A critical-severity Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-39980, has been disclosed in OpenCTI, the widely deployed open-source cyber threat intelligence platform.
The flaw allows privileged, authenticated users to execute arbitrary JavaScript on the server through improperly sanitized EJS notifier templates, potentially granting attackers complete control over the platform and its sensitive intelligence data.
CVE-2026-39980: Critical RCE Flaw
OpenCTI, developed and maintained by Filigran, is one of the most widely used platforms for managing structured threat intelligence, threat actor profiles, and observable data across enterprise SOC and government security environments.
The vulnerability affects all OpenCTI versions before 6.9.5 and is rooted in the platform’s safeEjs.ts file, which is responsible for rendering EJS (Embedded JavaScript) templates used in the notification and alerting subsystem.
Despite the file’s intent to provide safe EJS rendering, it fails to adequately escape or filter dangerous JavaScript constructs before template compilation and execution.
EJS (Embedded JavaScript) is a JavaScript templating language that allows dynamic content generation by embedding code inside delimiters such as <% %> for logic and <%= %> for output.
OpenCTI’s notifier system uses EJS templates to construct customized notification messages triggered by platform events. The safeEjs.ts component was specifically designed to sandbox this template execution and prevent code injection.
However, the implementation fails to properly neutralize special elements, a class of vulnerability formalized under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine).
A user with the “Manage customization” capability can craft a malicious EJS template containing embedded JavaScript that escapes the template context and executes directly within OpenCTI’s Node.js runtime.
The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H reflects several alarming characteristics of this flaw:
| CVSS Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No special conditions or race conditions needed |
| Privileges Required | High | Requires “Manage customization” role |
| User Interaction | None | No victim action needed after template is set |
| Scope | Changed | Impact crosses trust boundaries beyond OpenCTI |
| Confidentiality / Integrity / Availability | High / High / High | Full triad compromise possible |
The Scope: The changed metric is especially significant. It means that once the injected JavaScript runs in the Node.js process, the attacker’s reach extends beyond the OpenCTI application boundary itself, potentially affecting the underlying operating system, file system, and network resources.
Attack Chain and Exploitation Flow
While exploitation requires a high-privilege account, security researchers warn that this should not be treated as a robust barrier.
The “Manage customization” role is typically assigned to platform administrators, senior analysts, and power users who configure notification workflows in enterprise OpenCTI deployments.
The exploitation chain follows a predictable but highly impactful path:
- Attacker gains access to an OpenCTI account with “Manage customization” privileges via credential theft, phishing, insider threat, or privilege escalation.
- Attacker navigates to the notifier template configuration interface within OpenCTI’s customization panel.
- Attacker injects a malicious EJS payload, for example, a template block that spawns a reverse shell, reads
/etc/passwd, or establishes persistence embedded within the template syntax. - The malicious template is saved and waits silently.
- When a platform event triggers the notifier (e.g., a new threat indicator is created), the template executes, and the injected JavaScript runs in the OpenCTI Node.js process.
Once execution is complete, the attacker can exfiltrate threat intelligence data, install backdoors, pivot to connected systems, or weaponize the compromised OpenCTI instance to launch further attacks against connected SIEM, SOAR, or ticketing integrations.
Indicators of Compromise (IOCs)
Security teams should actively hunt for the following signs of exploitation:
- Unexpected modifications to notification templates containing JavaScript constructs (e.g.,
require('child_process'),process.env) - Anomalous process spawning from the OpenCTI Node.js process (e.g.,
sh,bash,curl,wgetas child processes) - Unusual outbound network connections originating from the OpenCTI server to unknown external IP addresses
- Application log entries indicating template rendering errors, stack traces, or unexpected JavaScript exceptions
- User activity logs showing template edits outside of scheduled change windows.
Patch and Remediation
The disclosed vulnerability, assigned CVE-2026-39980 and carrying a maximum CVSS v3.1 score of 9.1 (Critical), was published via GitHub Security Advisory GHSA-jv9r-jw2f-rhrf.
Filigran released OpenCTI version 6.9.5 on January 5, 2026, via the Filigran-Automation release pipeline, which addresses this vulnerability by implementing proper sanitization within the safeEjs.ts template engine.
The patch included in pull request #13831, contributed by Underournet under the title “Improve tem,plate engine,” closes the injection pathway by correctly escaping dangerous template constructs before execution.
Organizations running any version below 6.9.5 are urged to upgrade immediately. Until patching is complete, defenders should:
- Audit all accounts with the “Manage customization” capability and revoke non-essential assignments
- Review all existing notification templates for anomalous JavaScript code
- Deploy network segmentation around the OpenCTI server to limit lateral movement potential
- Enable verbose OpenCTI application logging and configure alerting on template modification events
- Consider temporarily turning off custom notification templates if not operationally critical
Impact on the Threat Intelligence Ecosystem
OpenCTI is a cornerstone platform in enterprise and government threat intelligence operations globally, often serving as the centralized repository for structured intelligence feeds, malware indicators, APT campaign data, and STIX/TAXII object stores.
Exploiting CVE-2026-39980 would not only compromise raw platform data but also expose sensitive data. Still, it could also allow an attacker to corrupt or poison intelligence feeds shared downstream with partner organizations, SIEMs, and threat hunting tools. This secondary poisoning risk elevates the real-world severity beyond what the CVSS score alone communicates.
FAQs
Q1: What is CVE-2026-39980?
It is a critical RCE vulnerability in OpenCTI’s safeEjs.ts file that allows users with “Manage customization” privilege to execute arbitrary JavaScript via unsanitized EJS notifier templates.
Q2: Which OpenCTI versions are affected?
All OpenCTI versions before 6.9.5 are vulnerable; upgrading to 6.9.5 or later fully remediates the flaw.
Q3: Is high-privilege access required to exploit this vulnerability?
Yes, exploitation requires an authenticated account with the “Manage customization” role; however, this is a commonly assigned privilege in enterprise deployments.
Q4: How can organizations detect exploitation of CVE-2026-39980?
Monitor OpenCTI audit logs for suspicious template edits, watch for anomalous child processes spawned by Node.js, and alert on unexpected outbound connections from the OpenCTI server.
Site: http://thecybrdef.com
About the Author
