Search criteria
Related vulnerabilities
CVE-2026-21887 (GCVE-0-2026-21887)
Vulnerability from cvelistv5 – Published: 2026-03-12 17:00 – Updated: 2026-03-12 17:52
VLAI
Title
OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
Summary
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.
Severity
7.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OpenCTI-Platform/opencti/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenCTI-Platform | opencti |
Affected:
< 6.8.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T17:51:53.670909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T17:52:55.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencti",
"vendor": "OpenCTI-Platform",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform\u2019s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T17:00:43.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5"
}
],
"source": {
"advisory": "GHSA-ffm6-vvph-g5f5",
"discovery": "UNKNOWN"
},
"title": "OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21887",
"datePublished": "2026-03-12T17:00:43.944Z",
"dateReserved": "2026-01-05T17:24:36.929Z",
"dateUpdated": "2026-03-12T17:52:55.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-118
Vulnerability from pysec - Published: 2026-03-12 17:16 - Updated: 2026-05-20 09:19
VLAI
Details
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.
Severity
7.7 (High)
Impacted products
| Name | purl | pycti | pkg:pypi/pycti |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pycti",
"purl": "pkg:pypi/pycti"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.8.16"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2.1",
"1.2.11",
"1.2.12",
"1.2.13",
"1.2.14",
"1.2.15",
"1.2.2",
"1.2.4",
"1.2.9",
"2.0.0",
"2.0.1",
"2.0.2",
"2.0.3",
"2.1.10",
"2.1.11",
"2.1.12",
"2.1.13",
"2.1.3",
"2.1.4",
"2.1.5",
"2.1.6",
"2.1.7",
"2.1.8",
"2.1.9",
"3.0.0",
"3.0.1",
"3.0.2",
"3.0.3",
"3.1.0",
"3.1.1",
"3.1.2",
"3.2.0",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2.4",
"3.2.5",
"3.2.6",
"3.2.7",
"3.3.0",
"3.3.1",
"3.3.2",
"3.3.3",
"4.0.0",
"4.0.1",
"4.0.2",
"4.0.3",
"4.0.4",
"4.0.5",
"4.0.6",
"4.0.7",
"4.1.0",
"4.1.1",
"4.1.2",
"4.2.1",
"4.2.2",
"4.2.3",
"4.2.4",
"4.3.0",
"4.3.1",
"4.3.2",
"4.3.3",
"4.3.4",
"4.3.5",
"4.4.0",
"4.4.1",
"4.4.2",
"4.4.3",
"4.5.0",
"4.5.1",
"4.5.2",
"4.5.3",
"4.5.4",
"4.5.5",
"5.0.0",
"5.0.1",
"5.0.2",
"5.0.3",
"5.1.0",
"5.1.1",
"5.1.2",
"5.1.3",
"5.1.4",
"5.10.0",
"5.10.1",
"5.10.2",
"5.10.3",
"5.11.0",
"5.11.1",
"5.11.10",
"5.11.11",
"5.11.12",
"5.11.13",
"5.11.14",
"5.11.2",
"5.11.3",
"5.11.4",
"5.11.5",
"5.11.6",
"5.11.7",
"5.11.8",
"5.11.9",
"5.12.0",
"5.12.1",
"5.12.10",
"5.12.11",
"5.12.12",
"5.12.13",
"5.12.14",
"5.12.15",
"5.12.16",
"5.12.17",
"5.12.18",
"5.12.19",
"5.12.2",
"5.12.20",
"5.12.21",
"5.12.22",
"5.12.23",
"5.12.24",
"5.12.25",
"5.12.26",
"5.12.27",
"5.12.28",
"5.12.29",
"5.12.3",
"5.12.30",
"5.12.31",
"5.12.32",
"5.12.33",
"5.12.4",
"5.12.5",
"5.12.6",
"5.12.7",
"5.12.8",
"5.12.9",
"5.2.0",
"5.2.1",
"5.2.2",
"5.2.3",
"5.2.4",
"5.3.0",
"5.3.1",
"5.3.10",
"5.3.11",
"5.3.12",
"5.3.13",
"5.3.14",
"5.3.15",
"5.3.16",
"5.3.17",
"5.3.2",
"5.3.3",
"5.3.4",
"5.3.5",
"5.3.6",
"5.3.7",
"5.3.8",
"5.3.9",
"5.3.post5310",
"5.3.post5311",
"5.3.post5312",
"5.3.post5314",
"5.3.post5315",
"5.3.post5316",
"5.3.post5317",
"5.3.post5318",
"5.4.0",
"5.4.1",
"5.5.0",
"5.5.1",
"5.5.2",
"5.5.3",
"5.5.4",
"5.5.5",
"5.5.6",
"5.5.post551",
"5.5.post552",
"5.5.post553",
"5.5.post554",
"5.5.post555",
"5.5.post556",
"5.6.0",
"5.6.1",
"5.6.2",
"5.6.post560",
"5.6.post561",
"5.6.post562",
"5.7.0",
"5.7.1",
"5.7.2",
"5.7.3",
"5.7.4",
"5.7.5",
"5.7.6",
"5.7.post570",
"5.7.post571",
"5.7.post572",
"5.7.post573",
"5.7.post574",
"5.7.post575",
"5.7.post576",
"5.8.0",
"5.8.1",
"5.8.2",
"5.8.3",
"5.8.4",
"5.8.5",
"5.8.6",
"5.8.7",
"5.9.0",
"5.9.1",
"5.9.2",
"5.9.3",
"5.9.4",
"5.9.5",
"5.9.6",
"6.0.0",
"6.0.1",
"6.0.10",
"6.0.2",
"6.0.3",
"6.0.4",
"6.0.5",
"6.0.6",
"6.0.7",
"6.0.8",
"6.0.9",
"6.1.0",
"6.1.1",
"6.1.10",
"6.1.11",
"6.1.12",
"6.1.13",
"6.1.2",
"6.1.3",
"6.1.4",
"6.1.5",
"6.1.6",
"6.1.7",
"6.1.8",
"6.1.9",
"6.2.0",
"6.2.1",
"6.2.10",
"6.2.11",
"6.2.12",
"6.2.13",
"6.2.14",
"6.2.15",
"6.2.16",
"6.2.17",
"6.2.18",
"6.2.19",
"6.2.2",
"6.2.3",
"6.2.4",
"6.2.5",
"6.2.6",
"6.2.7",
"6.2.8",
"6.2.9",
"6.3.0",
"6.3.1",
"6.3.10",
"6.3.11",
"6.3.12",
"6.3.13",
"6.3.14",
"6.3.2",
"6.3.3",
"6.3.4",
"6.3.5",
"6.3.6",
"6.3.7",
"6.3.8",
"6.3.9",
"6.4.0",
"6.4.1",
"6.4.10",
"6.4.11",
"6.4.2",
"6.4.3",
"6.4.4",
"6.4.5",
"6.4.6",
"6.4.7",
"6.4.8",
"6.4.9",
"6.5.0",
"6.5.1",
"6.5.10",
"6.5.11",
"6.5.2",
"6.5.3",
"6.5.4",
"6.5.5",
"6.5.6",
"6.5.7",
"6.5.8",
"6.5.9",
"6.6.0",
"6.6.1",
"6.6.10",
"6.6.11",
"6.6.12",
"6.6.13",
"6.6.14",
"6.6.15",
"6.6.16",
"6.6.17",
"6.6.18",
"6.6.2",
"6.6.3",
"6.6.4",
"6.6.5",
"6.6.6",
"6.6.7",
"6.6.8",
"6.6.9",
"6.7.0",
"6.7.1",
"6.7.10",
"6.7.11",
"6.7.12",
"6.7.13",
"6.7.14",
"6.7.15",
"6.7.16",
"6.7.17",
"6.7.18",
"6.7.19",
"6.7.2",
"6.7.20",
"6.7.3",
"6.7.4",
"6.7.5",
"6.7.6",
"6.7.7",
"6.7.8",
"6.7.9",
"6.8.0",
"6.8.1",
"6.8.10",
"6.8.11",
"6.8.12",
"6.8.13",
"6.8.14",
"6.8.15",
"6.8.2",
"6.8.3",
"6.8.4",
"6.8.5",
"6.8.6",
"6.8.7",
"6.8.8",
"6.8.9"
]
}
],
"aliases": [
"CVE-2026-21887",
"GHSA-ffm6-vvph-g5f5"
],
"details": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform\u2019s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.",
"id": "PYSEC-2026-118",
"modified": "2026-05-20T09:19:14.733128Z",
"published": "2026-03-12T17:16:36.813Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}