Platform
python
Component
opencti
Fixed in
6.8.17
6.8.16
CVE-2026-21887 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenCTI, an open-source cyber threat intelligence platform. This flaw allows attackers to manipulate the platform into making requests to arbitrary endpoints, potentially exposing internal services. The vulnerability impacts versions of OpenCTI prior to 6.8.16 and is resolved in version 6.8.16.
The SSRF vulnerability in OpenCTI arises from insufficient validation of user-supplied URLs within the data ingestion feature. The platform utilizes the Axios HTTP client with the allowAbsoluteUrls: true configuration, enabling attackers to craft requests targeting internal resources. While responses might not be fully visible, the ability to trigger requests to internal systems poses a significant risk. An attacker could potentially scan internal networks, access sensitive data stored on internal servers, or even trigger actions within internal applications, depending on the exposed endpoints. This could lead to data breaches, system compromise, and disruption of services.
CVE-2026-21887 was publicly disclosed on 2026-03-12. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The vulnerability's impact is amplified by the potential for accessing internal services, making it a high-priority concern for organizations deploying OpenCTI.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21887 is to upgrade OpenCTI to version 6.8.16 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict network access to the OpenCTI server to only necessary internal resources. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious URLs or patterns indicative of SSRF attempts. Carefully review and restrict the URLs allowed for data ingestion within the OpenCTI configuration. After upgrading, verify the fix by attempting to craft a request to an internal service and confirming that the request is blocked or fails as expected.
Update OpenCTI to version 6.8.16 or higher. This version fixes the SSRF (Server-Side Request Forgery) vulnerability by properly validating external URLs in the data ingestion feature.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21887 is a Server-Side Request Forgery vulnerability in OpenCTI versions prior to 6.8.16, allowing attackers to make requests to internal services.
You are affected if you are using OpenCTI version 6.8.16 or earlier. Upgrade to 6.8.16 to mitigate the risk.
Upgrade OpenCTI to version 6.8.16. As a temporary workaround, restrict network access and implement WAF rules.
There is currently no confirmed evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official OpenCTI security advisory for detailed information and updates: [https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.