Cyber Resilience

CVE-2024-26139

High

Published: 23 May 2024

Published
23 May 2024
Modified
22 May 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0016 36.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-26139 is a high-severity Improper Access Control (CWE-284) vulnerability in Citeum Opencti. Its CVSS base score is 8.3 (High).

Operationally, ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Due to lack of certain security controls on the profile edit functionality, an authenticated attacker with low privileges can gain administrative privileges on…

more

the web application.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

citeum
opencti
≤ 5.12.31

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-657

The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.

addresses: CWE-284 CWE-657

The policy defines roles, responsibilities, and management commitment for authorization and monitoring, establishing formal access controls over these security functions.

addresses: CWE-657 CWE-284

Deficiencies violating secure design principles are tracked and corrected through planned actions, limiting attacker opportunities from design flaws.

addresses: CWE-657 CWE-284

Documented policy with defined scope, roles, responsibilities, and periodic review directly enforces secure design principles and management commitment.

addresses: CWE-284 CWE-657

Mandates defining roles/responsibilities, security categorization, and controls (including authorization) while protecting plans from unauthorized modification.

addresses: CWE-284 CWE-657

CONOPS describes the organization's intended security and privacy operating model, including access-control concepts, making systemic improper access control less likely to persist undetected.

addresses: CWE-284 CWE-657

Architectures explicitly define requirements and mechanisms for access control to protect confidentiality, integrity, and availability.

addresses: CWE-657 CWE-284

Directly requires incorporating security and privacy considerations into the definition of mission/business processes, preventing violations of secure design principles at the organizational level.

References