Summary
OpenCTI May Bypass Introspection Restriction
Advisory details
Summary
The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query.
Details
GraphQL Queries in OpenCTI can be validated using the secureIntrospectionPlugin.
Impact
Bypassing this restriction allows the attacker to gather a wealth of information about the GraphQL endpoint functionality that can be used to perform actions and/or read data without authorization. These queries can also be weaponized to conduct a Denial of Service (DoS) attack if sent repeatedly.
References
- https://github.com/advisories/GHSA-4mvw-j8r9-xcgc
- https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-4mvw-j8r9-xcgc
- https://nvd.nist.gov/vuln/detail/CVE-2024-37155
- https://github.com/OpenCTI-Platform/opencti/commit/f87d96918c63b0c3d3ebfbea6c789d48e2f56ad5
- https://github.com/OpenCTI-Platform/opencti/blob/6343b82b0b0a5d3ded3b30d08ce282328a556268/opencti-platform/opencti-graphql/src/graphql/graphql.js#L83-L94
- https://github.com/pypa/advisory-database/tree/main/vulns/pycti/PYSEC-2024-313.yaml
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-50132
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF
- MEDIUMCVE-2026-31978
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
- CRITICALCVE-2024-6385
CVE-2024-6385 was a critical improper access control flaw in GitLab Community and Enterprise Edition disclosed on July 11, 2024, affecting versions from 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2, that under certain circumstances let an attacker trigger and run a CI/CD pipeline as another, arbitrary user. The bug stemmed from the pipeline-triggering logic failing to correctly validate the identity of the user on whose behalf a pipeline was started, so jobs executed with the victim's permissions, CI_JOB_TOKEN, and access to their CI/CD secrets such as cloud tokens, Kubernetes service accounts, and attached identities, enabling privilege escalation across the platform. It was effectively a re-fix of CVE-2024-5655 (also critical, disclosed late June 2024), whose root cause was that merge requests automatically retargeted to a new branch upon merge would inadvertently trigger pipeline execution as the original author without manual initiation, with GraphQL CI_JOB_TOKEN authentication being disabled by default as part of the mitigation. Both flaws were rated critical by GitLab and prompted urgent patch guidance.
- HIGHSC-CRED-HYGIENE-CICDSEC6-2023
Insufficient credential hygiene is the class in which long-lived, broadly-scoped secrets such as cloud access keys, registry tokens, and signing keys are stored as static CI variables, so any pipeline compromise (or any poisoned-pipeline, OIDC, or cache attack) yields durable, high-blast-radius credentials. The root mechanism is that static secrets do not expire, are often shared across projects, and grant standing access far beyond a single build, so theft of the CI platform's secret store or of a single workflow's environment converts a transient foothold into persistent access to production cloud and registry accounts. The CircleCI breach of January 2023 is the canonical illustration: malware on an engineer's laptop stole a valid 2FA-backed SSO session, letting attackers exfiltrate customers' environment variables, API tokens, and SSH keys, and CircleCI had to invalidate project tokens and instruct every customer to rotate all stored secrets, a platform-wide rotation that demonstrated the systemic cost of static-credential dependence. OWASP catalogues this as CICD-SEC-6 and recommends short-lived OIDC tokens and least privilege as the structural fix.
- HIGHCVE-2026-52801
Gogs has the ability to import local repositories via Mirror Settings
- HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover