Security Advisory 2022-045

Release Date:

TheHive and Cortex Active Directory Authentication Bypass



  • 22/06/2022 --- v1.0 -- Initial publication


On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive.

The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.

Technical Details

TheHive and Cortex products have an authentication vulnerability when the Active Directory module is enabled and used to authenticate users on the platform.

If an authentication request is sent with an existing account without a password through TheHive API, then AD response to the request is Success and TheHive accepts the user authentication. This vulnerability also exists in Cortex, the exploitation process is similar and leads to same consequences.

Affected Products

Below are the supported versions of the vulnerable products

  • TheHive 5.0.7 and earlier
  • TheHive 4.1.20 and earlier
  • Cortex 3.1.4 and earlier

Also, unsupported version (EOL since end of 2021) of TheHive 3 is also vulnerable. An exeptional update release is available for the porduct [1].


CERT-EU strongly recommends to update to the latest version available as soon as possible. Details of the patched versions can be found in [1].


In case the update is not possible, disabling the Active Directory authentication module prevents the vulnerability exploitation.



We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.