CVE-2026-21887 HIGH

CVE-2026-21887: OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature

Vendor Opencti-Platform
Product opencti
Weakness CWE-918 · SSRF
Published March 12, 2026
Last update March 12, 2026
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.

Key dates

02Disclosure timeline

March 12, 2026 CVE published
March 12, 2026 Record updated