opencti
Opgelost in
6.8.17
6.8.16
CVE-2026-21887 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenCTI, an open-source cyber threat intelligence platform. This flaw allows attackers to manipulate the platform into making requests to arbitrary endpoints, potentially exposing internal services. The vulnerability impacts versions of OpenCTI prior to 6.8.16 and is resolved in version 6.8.16.
The SSRF vulnerability in OpenCTI arises from insufficient validation of user-supplied URLs within the data ingestion feature. The platform utilizes the Axios HTTP client with the allowAbsoluteUrls: true configuration, enabling attackers to craft requests targeting internal resources. While responses might not be fully visible, the ability to trigger requests to internal systems poses a significant risk. An attacker could potentially scan internal networks, access sensitive data stored on internal servers, or even trigger actions within internal applications, depending on the exposed endpoints. This could lead to data breaches, system compromise, and disruption of services.
CVE-2026-21887 was publicly disclosed on 2026-03-12. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the SSRF nature of the vulnerability makes it likely that such code will emerge. The vulnerability's impact is amplified by the potential for accessing internal services, making it a high-priority concern for organizations deploying OpenCTI.
Organizations utilizing OpenCTI for threat intelligence management are at risk, particularly those with OpenCTI instances exposed to untrusted networks or those that ingest data from external sources without rigorous validation. Shared hosting environments where multiple users share the same OpenCTI instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to access resources belonging to other users.
• linux / server: Monitor OpenCTI logs for unusual outbound HTTP requests, particularly those targeting internal IP addresses or non-standard ports. Use journalctl -f to observe real-time log activity.
journalctl -f | grep -i "http://192\.168\."• generic web: Examine OpenCTI access and error logs for requests containing suspicious URL patterns, such as those containing internal IP addresses or unusual protocols. Use curl to test for SSRF by attempting to access an internal service.
curl -v http://localhost/internal_service• python: If you have access to the OpenCTI code, review the data ingestion module for any instances where URLs are constructed and sent to Axios without proper validation.
disclosure
Exploit Status
EPSS
0.03% (10% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-21887 is to upgrade OpenCTI to version 6.8.16 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict network access to the OpenCTI server to only necessary internal resources. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious URLs or patterns indicative of SSRF attempts. Carefully review and restrict the URLs allowed for data ingestion within the OpenCTI configuration. After upgrading, verify the fix by attempting to craft a request to an internal service and confirming that the request is blocked or fails as expected.
Werk OpenCTI bij naar versie 6.8.16 of hoger. Deze versie corrigeert de SSRF kwetsbaarheid door externe URL's correct te valideren in de data ingestion functie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-21887 is a Server-Side Request Forgery vulnerability in OpenCTI versions prior to 6.8.16, allowing attackers to make requests to internal services.
You are affected if you are using OpenCTI version 6.8.16 or earlier. Upgrade to 6.8.16 to mitigate the risk.
Upgrade OpenCTI to version 6.8.16. As a temporary workaround, restrict network access and implement WAF rules.
There is currently no confirmed evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official OpenCTI security advisory for detailed information and updates: [https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/opencti/opencti/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.