Version 6.9.25

Enhancements:

• #14891 : Update 3rd party dependencies on 6.9.x

Full Changelog: 6.9.24...6.9.25

Version 7.260309.0

Bug fixes

• #14737 Disabled local authentication strategy is set to enable following conversion to V7
• #14848 Infinite loading of cards is fully broken
• #14539 Dashboard configuration export (JSON) fails with INTERNAL_SERVER_ERROR: "Expected a string but received a Object"
• #14527 Dashboard: Export fails when a widget contains a dynamic "in regard of" filter

Pull Requests:

• [backend] Fix dashboard export failing with dynamicRegardingOf filters (#14539, #14527) by @SamuelHassine in #14858
• [frontend] fix Infinite loading of cards (#14848) by @CelineSebe in #14864
• [backend] fix migration for local strategy (#14737) by @marieflorescontact in #14790

Full Changelog: 7.260306.1...7.260309.0

Version 7.260306.1

Bug fixes

• #14839 OpenIDConnect authentication fail when access token is not a JWT

Pull Requests:

• [backend] fix OpenIDConnect when token are not valid JWT (#14839) by @xfournet in #14840

Full Changelog: 7.260306.0...7.260306.1

Version 7.260306.0

Enhancements:

• #14798 [backend/frontend] XTM One registration and ping mechanism (PoC)

Bug Fixes:

• #14816 Stream consumers should only return valid and ongoing consumers
• #14806 [Dashboard] Widget using a "in regards of" filter with a non-existent entity crashes and cannot be reconfigured
• #14802 User With Access Data Sharing capability can't open a stream
• #14800 Disabled workflows can not be activated on entities
• #14707 Investigation: Expand knowledge popup: incorrect margins/rendering
• #14435 Platform Theme Not Loading Correct Logo

Pull Requests:

• [doc] Fix typos, spelling mistakes, and grammar issues across docs/ folder by @Copilot in #14627
• [doc] Updated the reduce knowledge documentation and corrected typos (#13264) by @romain-filigran in #14795
• [deps] Update dependency markdown-to-jsx to v9 by @renovate[bot] in #13330
• [backend/frontend] XTM One registration and ping mechanism (#14798) by @SamuelHassine in #14563
• [frontend] Fix logo not following user's selected theme (#14435) by @claude in #14689
• [frontend] Error on a widget should not prevent the widget edition (#14806) by @Archidoit in #14819
• [backend] Stream consumers should only return valid and ongoing consumers (#14816) by @Archidoit in #14818
• [frontend] Disabled workflows can not be activated on entities (#14800) by @SarahBocognano in #14820
• [frontend] User With Access Data Sharing capability should be able to open stream via menu item (#14802) by @Archidoit in #14815
• [frontend] Investigation: Expand knowledge popup: incorrect margins/rendering (#14707) by @Gwendoline-FAVRE-FELIX in #14726

Full Changelog: 7.260305.0...7.260306.0

Version 6.9.24

Bug fixes

• #14816 Stream consumers should only return valid and ongoing consumers
• #14729 Consumer drawer is not present anymore
• #14585 Playbook: manipulating container files even if not needed
• #8207 Images embedded in report content are sized at 100% in PDF exports

Pull Requests:

• [backend] Stream consumers should only return valid and ongoing consumers (#14816) by @Archidoit in #14824
• [frontend] Reintroduce stream consumers drawer for Live streams (#14729) by @Archidoit in #14827
• [backend/pycti] Prevent file upload looping (#14585) by @richard-julien in #14825
• [frontend] Improve max width images / Improve management of images when moving from HTML to PDF (#8207) by @richard-julien in #14826

Full Changelog: 6.9.23...6.9.24

Version 7.260305.0

Enhancements:

• #14777 [backend/frontend] Improve visibility of messages for listen_queues
• #14754 [backend] Improve logging information when the platform decides to auto merge elements
• #14724 [DOC] Update with minimal OpenCTI version for the composer catalog
• #14703 AWS SDK proxy support
• #14680 [CSV Feed] Support relationship-based neighbor resolution in CSV Feed columns
• #13264 Allow "Reduce Knowledge" component to filter on any entities in the bundle, not just the triggering entities
• #5220 Add an operator "Only equals to" in filters

Bug Fixes:

• #14787 Error when updating the confidence level at creation in Security Coverage
• #14781 Current SSO configuration use the dot as separator, some configuration are broken
• #14769 'report_types_ov' not showing in Vocabularies
• #14763 NLQ search is broken
• #14758 [xtmhub] Prevent user from seeing 'register'/'unregister' buttons in the demo instance
• #14756 [Authentication] Conversion error during local strategy conversion
• #14736 Can't access the setting>security page
• #14675 Customization > Entities Table is not completely loading
• #14665 Backend error: strict_dynamic_mapping_exception, ([publisher] or [rating] within [attachment]), fileIndexManager usecase
• #14644 Worker never gives up requeuing work items that are being rejected by the remote server
• #14640 History markdown formatting is broken
• #14613 [BUG] boto3 requirements is too strict and is incompatible with stix-shifter
• #14601 Scrolling issue on Parameters/customization preventing entity types to be seen
• #14597 Error "Cant add another relation on single ref" with a bundle that contains IPv4 address and NetworkTraffic
• #14585 Playbook: manipulating container files even if not needed
• #14575 [Activity Logging] "merge" value missing from "Event scope" filter options
• #14566 Playbook: duplicate inferred relationship
• #14532 'In regards of' filters aren't displayed fully
• #14516 Form Intakes - full, half and third width are not working
• #14106 Can't update manually the revoked status of a vulnerability
• #13846 Margin in entity customization
• #13482 In widget mutli horizontal bar : sometimes category 'Others' is less than 0
• #12594 [playbook] "Reduce Knowledge" component is not working as expected
• #11886 Adding a domain to an exclusion list does not exclude its subdomains
• #10582 Clicking on the opinion radar should be disabled if no opinion are present instead of raising a kind of error
• #8207 Images embedded in report content are sized at 100% in PDF exports

Pull Requests:

• [frontend]fix padding in attributes card by @CelineSebe in #14608
• [frontend] Fix markdown not correctly display (#14640) by @marieflorescontact in #14657
• [frontend] add revoked to vulnerability edition form (#14106) by @JeremyCloarec in #14138
• [ci] Add issue linked verification (#13869) by @aHenryJard in #13870
• [deps] Update devDependencies (non-major) by @renovate[bot] in #14684
• [frontend] refacto slider field (#13845) by @CelineSebe in #13782
• [client-python] Loosen boto3 version constraint to fix stix-shifter compatibility (#14613) by @claude in #14692
• [frontend] Fix field width configuration (half/third) not working for additional entities in Form Intakes (#14516) by @claude in #14690
• [frontend/backend] 'Only equal to' new filter operator (#5220) by @Archidoit in #14543
• [ci] REVERT - Remove the issue link automated check part (#13869) by @aHenryJard in #14708
• [deps] Lock file maintenance by @renovate[bot] in #14710
• [backend/client] fix file handling in upsert by adding files versions (#14585) by @JeremyCloarec in #14614
• [client] exclude src_ref and dst_ref handling in import_observable (#14597) by @JeremyCloarec in #14666
• [client] ignore inferred items during import (#14566) by @JeremyCloarec in #14577
• [docs] Update with minimal OpenCTI version for the composer catalog (#14724) by @alice-debra in #14723
• [backend/client] revert fix file handling in upsert by adding files versions (#14585) by @JeremyCloarec in #14725
• [frontend] Re-introduce stream consumers drawer for Live streams (#14729) by @Archidoit in #14734
• [frontend] Clicking on the opinion radar should be disabled if no opinion are present instead of raising a kind of error (#10582) by @SarahBocognano in #14606
• [worker] Fix infinite requeuing of messages permanently rejected with 4xx errors (#14644) by @claude in #14687
• [frontend] Improve management of images when moving from HTML to PDF (#8207) by @lndrtrbn in #14715
• [backend] Add merge to EVENT_SCOPE_VALUES for activity logging filter (#14575) by @claude in #14706
• [backend] Revert "[deps] Update dependency zod to v4 (#12784)" (#14763) by @lndrtrbn in #14761
• [frontend] fix security menu redirections(#14736) by @CelineSebe in #14759
• [backend] Improve logging information when the platform decides to auto merge elements (#14754) by @richard-julien in #14755
• [frontend] fix VocabularyCategories usage of DataTableWithoutFragment by adding pageSize info (#14769) by @JeremyCloarec in #14774
• [backend] Split playbook components into separated files (#14283) by @MTorbay-Filigran in #14728
• [backend/frontend] Support relationship-based neighbor resolution in CSV Feed columns (#14680) by @SamuelHassine in #14681
• [frontend] fix customization list rendering (#14601) by @OctaveLaventure in #14771
• [backend/frontend] Improve visibility of messages for listen_queues (#14777) by @richard-julien in #14778
• [backend] Configure proxy on AWS SDK (#14703) by @xfournet in #14733
• [backend] Allow to quote path component in double quotes (#14781) by @xfournet in #14782
• [backend] fix Remote_logout following authentication conversion (#14756) by @CelineSebe in #14776
• [backend/pycti] Prevent file upload looping (#14585) by @richard-julien in #14749
• [frontend] Hide Register/Unregister XTM Hub buttons in demo mode (#14758) by @jbanety in #14762
• [ci] do not push latest docker tag if the release is not the most recent one (#14671) by @efaure in #14670
• [deps] Update dependency @langchain/core to v0.3.80 [SECURITY] by @renovate[bot] in #13828
• [backend] Fix strict_dynamic_mapping_exception exceptions thrown in fileIndexManager (#14665) by @fellowseb in #14655...

Version 7.260227.0

Enhancements:

• #14668 Introduce no_split option in send stix bundle in the Python lib
• #14115 Custom Right-Hand Side Background Image

Bug Fixes:

• #14599 Due Date item not aligned and not consistant with other items
• #14234 Improve graph label

Pull Requests:

• docs: fix broken and incorrect links in documentation by @Copilot in #14587
• [Doc] Add "Policy Life Cycle" documentation by @romain-filigran in #14519
• [deps] Update dependency fastapi to >=0.129.2,<0.130.0 by @renovate[bot] in #13800
• [deps] Update aws-sdk-js-v3 monorepo by @renovate[bot] in #14489
• [deps] Update dependency isort to v8 by @renovate[bot] in #14554
• [deps] Update dependency setuptools to v82 by @renovate[bot] in #14439
• [deps] Update dependency @pyroscope/nodejs to v0.4.10 by @renovate[bot] in #14483
• [deps] Update dependency marked to v17.0.3 by @renovate[bot] in #14488
• [deps] Update dependency slack to v6.1.3 by @renovate[bot] in #14549
• [deps] Update dependency webpack to v5.105.2 by @renovate[bot] in #14494
• [deps] Update rabbitmq Docker tag to v4.2.4 by @renovate[bot] in #14590
• [deps] Update dependency jsonpath-plus to v10.4.0 by @renovate[bot] in #14540
• [deps] Update dependency otplib to v13.3.0 by @renovate[bot] in #14492
• [deps] Update opensearchproject/opensearch-dashboards Docker tag to v3.5.0 by @renovate[bot] in #14486
• [deps] Update opensearchproject/opensearch Docker tag to v3.5.0 by @renovate[bot] in #14484
• [deps] Update otel/opentelemetry-collector-contrib Docker tag to v0.146.1 by @renovate[bot] in #14551
• [deps] Update dependency convert to v6 by @renovate[bot] in #14592
• [deps] Update dependency eslint-plugin-import-newlines to v2 by @renovate[bot] in #14552
• [deps] Update dependency prometheus-client to ~=0.24.1 by @renovate[bot] in #13189
• [deps] Update dependency ajv to v8.18.0 [SECURITY] by @renovate[bot] in #14521
• [deps] Update dependency remark-flexible-markers to v1.3.3 by @renovate[bot] in #14553
• [deps] Update redis Docker tag to v8.6.0 by @renovate[bot] in #14487
• [deps] Update dependency boto3 to ~=1.42.54 by @renovate[bot] in #14177
• [deps] Update dependency python_json_logger to v4 by @renovate[bot] in #13198
• [deps] Update dependency wheel to ~=0.46.3 by @renovate[bot] in #14184
• [deps] Update dependency black to v25.12.0 by @renovate[bot] in #13652
• [deps] Update dependency cachetools to v7 by @renovate[bot] in #14361
• [deps] Update devDependencies (non-major) by @renovate[bot] in #14490
• [deps] Update dependency openid-client to v6.8.2 by @renovate[bot] in #14594
• [deps] Lock file maintenance by @renovate[bot] in #14491
• [deps] Update dependency black to v26 by @renovate[bot] in #14148
• [frontend] Filters components refacto to tsx (#13845) by @Archidoit in #13942
• [frontend] encode keyword in global search & file search (#9652) by @JeremyCloarec in #14569
• [backend] handle decay excluded indicators in indicatorEditField (#14347) by @JeremyCloarec in #14572
• [backend] In playbook, in contain wrapper from an incident, add more mapping (#11622) by @SarahBocognano in #14531
• [frontend] Fix 'Manager deployment' columns alignment in Ingestion (#13303) by @Gwendoline-FAVRE-FELIX in #14571
• [deps] Update dependency zod to v4 by @renovate[bot] in #12784
• [deps] Update dependency three to v0.183.1 by @renovate[bot] in #14031
• [backend] fix rootPrivateQuery crashes without knowlege capa (#12951) by @marieflorescontact in #14612
• [frontend] fixes OpenCTI Streams old name still present (14038) by @marieflorescontact in #14617
• [frontend] Fix of vocabulary descriptions(#12799) by @CelineSebe in #14607
• [frontend] Reintroduce AI Insights button in Report (#14622) by @Archidoit in #14641
• [backend] fix livestreamhandler monitoring fail on redis pipeline (#14604) by @xfournet in #14621
• [ci] Add automated PR title check(#13867) by @aHenryJard in #13868
• [frontend] fix in regards of filter button (#14532) by @esrevi in #14573
• [frontend] Improve graph labels (#14234) by @lndrtrbn in #14638
• [docker-compose] Update LDAP port in docker-compose to be compatible with Podman by @xfournet in #14635
• [backend] Improve Cyberark secret mapping (#14588) by @xfournet in #14589
• [deps] Update eslint monorepo to v10 (major) by @renovate[bot] in #14410
• [ci] remove script that was used by drone only (#14646) by @aHenryJard in #14647
• [frontend] Fix promoted checkbox not showing in container observables screen (#14598) by @marieflorescontact in #14652
• [backend/frontend] login aside panel customization (#14115) by @esrevi in #14648
• [docs/frontend] Update Theme customization documentation (#14115) by @Archidoit in #14667
• [frontend] Due Date Item alignement and design (#14599) by @Archidoit in #14602

Full Changelog: 7.260224.0...7.260227.0

Version 6.9.23

Bug fixes

• #14622 'AI insights' not available on reports

Pull Requests:

• [ci] do not produce prerelease build and docker images by @labo-flg in #14618
• [frontend] Reintroduce AI Insights button in Report (#14622) by @Archidoit in #14651

Full Changelog: 6.9.22...6.9.23

Version 7.260224.0

Dear community, we're excited to announce the launch of OpenCTI version 7 (7.260224.0) 🥳.
We packed a lot of content on this release, and you will see important changes when using OpenCTI. This changes imply breaking changes.

Important

Make sure you read the Breaking Change section at the bottom of this Release Note.

We are also introducing a new version naming convention matching our current ability to deliver releases. All of it make it worth to jump into the 7 digit 🙂

📌 First of all, we’re introducing a new Long Term Support (LTS) License.

An LTS license allows Entreprise Edition users to stay on a LTS version for up to one year while receiving backported fixes for critical bugs and security issues. This licence is available to those of our On-Prem EE customers that might be tied by mandatory testing framework before going to production and that cannot match our current rythm of release.

We plan to release two LTS versions per year, giving you the option to align feature upgrades with a predictable twice‑yearly cycle.

You will find all information about the new Product Lifecycle of OpenCTI, including the new naming convention and the new Long Term Support offering, to this documentation page:  https://docs.opencti.io/latest/administration/product-life-cycle/

🍬 Important to note, OpenCTI v7 introduces first steps towards a full new UI Design System, helping users to focus on what matters & reduce the cognitive load. From the start, you will see the difference!

This Major release is also full of improvements and new features, focusing on solving key pain points and unlocking new use cases, including:

• Manage authentication strategies, to increase autonomy in setting up the application
• Control of capabilities in draft workspace, allowing you to force users to only edit data in a draft
• A new browser extension, simplify data collection process by remaining in a single screen
• User visibility, allowing users to keep data properly segregated
• Automation improvements, simplify label cleanup & trigger playbooks manually
• Securing the platform by providing state of the art token management solution

🔐 Manage Authentication Strategy via UI (EE)

In version 7 you will now be able to manage your SSO authentication mechanism via the OpenCTI UI (if your platform is Entreprise edition). This means that you will no longer need to update the configuration file (cross your fingers and hope) and reload the app to make changes. For all existing, your configurations will now be available via the UI and you can easily update and add new configurations as you require. This feature allows you be self sufficient, regardless of your deployment type (on-premise, SaaS).

Important

As announced in December 2025, SSO will fall under Entreprise Edition license in Version 7. This will mean that any Community Edition platforms that migrate to version 7.0.0 and onwards will not be able to login using SSO configured previously.
Moving SSO to the Enterprise Edition ensures that Filigran can sustainably maintain and continuously improve OpenCTI over the long term, while keeping investment strong in the Community Edition's core capabilities and responsibly managing the resources required to run a secure, high-quality open-source security platform.*

Almost all existing authentication methods will remain available in the UI. Configuration defined in files will still exist but migrated into the database and used for login. For migration details, authentication setup guidance, or troubleshooting, please refer to the links below.

• Migration Details
• Authentication setup guidance & troubleshooting

🔒 Improved API Token Management (CE)

We've redesigned API token management in OpenCTI for better control, security, and visibility.

What's changed

• Explicit token generation: Tokens must now be explicitly generated—no longer auto-assigned to every user.
• Multiple tokens per user: Generate multiple tokens per account to manage integrations independently and revoke them individually.
• Token expiration: Assign expiration dates to enforce rotation policies and limit credential lifespan.
• Token value shown only at creation: Token values display only once at generation. Copy it immediately - it cannot be retrieved later.
• Usage tracking: Monitor token activity with "last used" indicators to identify active tokens.

Existing tokens will continue working. We recommend reviewing tokens and transitioning to the new model for expiration controls and per-integration isolation.

💼 Control of capabilities in draft mode (EE)

Draft mode now supports granular capability controls, separate from platform-wide permissions.

This lets you restrict analysts to creating/updating data in drafts only, while others approve and validate—securing your platform and preventing unwanted changes.

This is the first step toward a validation workflow leveraging the draft workspace—more updates coming soon.

🥷 User visibility to ensure privacy (CE)

User visibility ensures no data leakage across organizations (available since 6.9.11)

• Platforms with organization segregation: users only see users in their immediate organizations, not those in other organizations accessed via inference. This behavior is enforced when using organization segregation.
  • Example: Previously, if Filigran was the parent entity with Filigran France & Filigran USA as children, users of France & USA could see each other through Filigran (via inference rules). Now, this requires manually adding France & USA users to the Filigran parent.
  • Impact:
    • Fewer users will be visible on some platforms.
    • Benefit: enables sharing to organization groups without exposing users. Create an organization for sharing (e.g., "Energy" sector), add child organizations, and share to Energy. All organizations gain access without viewing other users.
• Platforms without organization segregation: visibility restricted by organization is enabled by default on migration. Change this in the policy screen.

🎨 Revamping OpenCTI’s UI, helping users to focus on what matters & reduce the cognitive load (CE)

The platform interface has been completely modernized with the V7 design system. This comprehensive redesign touches nearly every visual element you interact with: buttons, navigation, drawers, cards, labels, header, and many other components.

The goal? Create a lighter, cleaner interface that helps you work faster and with less visual noise.

Key improvements include:

• Streamlined user experience: A cleaner, more intuitive interface reduces cognitive load, making features easier to discover and use throughout the platform.
• Design consistency: The V7 design system ensures predictable, uniform interactions across all features, eliminating confusion from inconsistent design patterns.
• Enhanced accessibility: Improved contrast ratios, element sizing, and responsive behaviors make the platform more accessible to all users.
• Modern aesthetic: The updated visual design reflects current standards and builds confidence in the platform's capabilities.

This foundational redesign addresses previous challenges with visual complexity and outdated patterns, transforming the interface into a modern, efficient workspace that helps security teams focus on what matters most: Threat intelligence and Analysis.

🌐 A new browser extension, simplify data collection process by remaining in a single screen (CE/EE)

We're introducing a browser extension that bridges any web page directly with your OpenCTI platform, eliminating the need to switch between your browser and OpenCTI when collecting threat intelligence.

How it works:

• Automatic entity detection and enrichment: The extension scans the page you're viewing and detects cyber entities of interest such as IOCs, threat actors, and vulnerabilities. It then enriches them with contextual cards displaying information already present in your OpenCTI instance, shown directly next to the detected elements on the page.
• One-click report creation: Convert any web page into a STIX 2.1 report that embeds the page content, models the identified entities and their relationships, and publishes it directly to your platform for immediate use.

The extension is available for all major browsers: Firefox, Chrome, Edge, and Safari.

What this solves:

Analysts spend significant time browsing the web for threat intelligence across blogs, social media, advisories, and other sources. When they find relevant content, they face a tedious workflow: checking if the information already exists in OpenCTI, then manually creating objects and relationships, or converting the page to PDF for AI-assisted extraction.

This extension eliminates that friction. You stay on the page you're reading while the extension handles detection, enrichment, and ingestion. No more context switching, no more manual modeling, no more PDF conversions.

Community vs. Enterprise capabilities:

• CE version provides regex-driven indicator recognition for automatic detection of common IOC patterns.
• EE version leverages AI extraction service to automatically det...

Version 6.9.22

Bug Fixes:

• #14537 Error on history event processing on [noHistory] forbidden in context_data.changes

Pull Requests:

• [backend] fix buggy history events (#14537) by @xfournet in #14538
• [backend] RelationToRule inference from/to types of relationships checking (#11824) by @Archidoit in #14453
• [backend] keep updatedInstance up to date with update changes (#14449) by @JeremyCloarec in #14452
• [frontend] feat(security-coverage): redirect to security coverage overview from covered entity (OpenAEV#4676) by @antoinemzs in #14188
• [Doc] Revert introduction of new SSO configuration in 6.9.X version by @romain-filigran in #14556
• [client] fix generate_export external references files handling (#14529) by @JeremyCloarec in #14535
• [ci] Update namespace name for dev and testing deployment by @efaure in #14561

Full Changelog: 6.9.21...6.9.22