Scanner gratuitement
HIGHCVE-2026-21887CVSS 7.7

CVE-2026-21887

traduction en cours…

Plateforme

python

Composant

opencti

Corrigé dans

6.8.17

6.8.16

AI Confidence: highNVDEPSS 0.0%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-21887 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenCTI, an open-source cyber threat intelligence platform. This flaw allows attackers to manipulate the platform into making requests to arbitrary endpoints, potentially exposing internal services. The vulnerability impacts versions of OpenCTI prior to 6.8.16 and is resolved in version 6.8.16.

Python

Détecte cette CVE dans ton projet

Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.

Téléverser requirements.txtFormats supportés: requirements.txt · Pipfile.lock

Impact et Scénarios d'Attaquetraduction en cours…

The SSRF vulnerability in OpenCTI arises from insufficient validation of user-supplied URLs within the data ingestion feature. The platform utilizes the Axios HTTP client with the allowAbsoluteUrls: true configuration, enabling attackers to craft requests targeting internal resources. While responses might not be fully visible, the ability to trigger requests to internal systems poses a significant risk. An attacker could potentially scan internal networks, access sensitive data stored on internal servers, or even trigger actions within internal applications, depending on the exposed endpoints. This could lead to data breaches, system compromise, and disruption of services.

Contexte d'Exploitationtraduction en cours…

CVE-2026-21887 was publicly disclosed on 2026-03-12. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The vulnerability's impact is amplified by the potential for accessing internal services, making it a high-priority concern for organizations deploying OpenCTI.

Qui Est à Risquetraduction en cours…

Organizations utilizing OpenCTI for threat intelligence management are at risk, particularly those with OpenCTI instances exposed to untrusted networks or those that ingest data from external sources without rigorous validation. Shared hosting environments where multiple users share the same OpenCTI instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to access resources belonging to other users.

Étapes de Détectiontraduction en cours…

• linux / server: Monitor OpenCTI logs for unusual outbound HTTP requests, particularly those targeting internal IP addresses or non-standard ports. Use journalctl -f to observe real-time log activity.

journalctl -f | grep -i "http://192\.168\."

• generic web: Examine OpenCTI access and error logs for requests containing suspicious URL patterns, such as those containing internal IP addresses or unusual protocols. Use curl to test for SSRF by attempting to access an internal service.

curl -v http://localhost/internal_service

• python: If you have access to the OpenCTI code, review the data ingestion module for any instances where URLs are constructed and sent to Axios without proper validation.

Chronologie de l'Attaque

  1. Disclosure

    disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports1 rapport de menace

EPSS

0.03% (percentile 10%)

CISA SSVC

Exploitationnone
Automatisableno
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N7.7HIGHAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeChangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityNoneRisque de modification non autorisée de donnéesAvailabilityNoneRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Aucun — aucun impact sur l'intégrité.
Availability
Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantopencti
FournisseurOpenCTI-Platform
Plage affectéeCorrigé dans
< 6.8.16 – < 6.8.166.8.17
6.8.16

Classification de Faiblesse (CWE)

CWE-918

Chronologie

  1. Réservé
  2. Publiée
  3. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-21887 is to upgrade OpenCTI to version 6.8.16 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict network access to the OpenCTI server to only necessary internal resources. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious URLs or patterns indicative of SSRF attempts. Carefully review and restrict the URLs allowed for data ingestion within the OpenCTI configuration. After upgrading, verify the fix by attempting to craft a request to an internal service and confirming that the request is blocked or fails as expected.

Comment corriger

Mettez à jour OpenCTI à la version 6.8.16 ou supérieure. Cette version corrige la vulnérabilité SSRF en validant correctement les URL externes dans la fonction d'ingestion de données.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2026-21887 — SSRF in OpenCTI?

CVE-2026-21887 is a Server-Side Request Forgery vulnerability in OpenCTI versions prior to 6.8.16, allowing attackers to make requests to internal services.

Am I affected by CVE-2026-21887 in OpenCTI?

You are affected if you are using OpenCTI version 6.8.16 or earlier. Upgrade to 6.8.16 to mitigate the risk.

How do I fix CVE-2026-21887 in OpenCTI?

Upgrade OpenCTI to version 6.8.16. As a temporary workaround, restrict network access and implement WAF rules.

Is CVE-2026-21887 being actively exploited?

There is currently no confirmed evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.

Where can I find the official OpenCTI advisory for CVE-2026-21887?

Refer to the official OpenCTI security advisory for detailed information and updates: [https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE