OpenCTI patches notifier-template EJS injection enabling RCE
TL;DR — OpenCTI’s notifier template rendering can be abused to execute attacker-supplied JavaScript in the server process by a user with the Manage customization capability.
What happened
OpenCTI is an open-source platform used to manage cyber threat intelligence knowledge and observables. CVE-2026-39980 reports that, prior to 6.9.5, OpenCTI’s safeEjs.ts does not properly sanitize EJS templates, enabling users with the Manage customization capability to run arbitrary JavaScript in the context of the OpenCTI platform process during notifier template execution.
| Item | Source value |
|---|---|
| Affected software | OpenCTI-Platform/opencti |
| Impact (per CVE record) | Arbitrary JavaScript execution in the OpenCTI platform process via notifier template execution |
| Severity | CVSS v3.1 9.1 (Critical) |
| Affected versions | < 6.9.5 |
| Fix availability | Fixed in 6.9.5 |
This is a high-impact pattern for platform teams because “customization” surfaces often sit on the trusted side of the boundary: if an attacker can obtain (or coerce) a high-privilege account, template-engine execution paths can become straightforward code-execution primitives.
Who is impacted
- OpenCTI deployments running
opencti < 6.9.5. - Environments where users (or compromised accounts) have the
Manage customizationcapability and can influence notifier template execution. - Higher-risk setups where OpenCTI has broad network reach and access to credentials/secrets via environment variables, mounted volumes, or adjacent internal services (typical in containerized deployments).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"This vulnerability is fixed in 6.9.5."
- Inventory OpenCTI instances and identify which tenants/users have
Manage customization; treat this capability as equivalent to “can execute code in the platform process” until confirmed patched. - Review and harden runtime blast radius (defense-in-depth): minimize secrets available to the OpenCTI process, lock down outbound network egress, and ensure the container/service account permissions match least privilege.
- If compromise is suspected, audit changes to notifier templates/customizations and rotate credentials reachable by the OpenCTI service (API tokens, database credentials, cloud keys).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.