Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.
Published: 2026-03-12
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery (SSRF) leading to potential internal network exposure
Action: Patch Now
AI Analysis

Impact

OpenCTI’s data ingestion feature allowed user-supplied URLs to be requested without validation, using Axios with default settings that accept absolute URLs. The result is a semi‑blind SSRF: while the attacker may not receive the full response, the request can reach internal services and cause unintended actions. The primary impact is unauthorized access to internal resources and potential disruption of internal services.

Affected Systems

All OpenCTI-Platform opencti deployments running a version older than 6.8.16 are affected. The vulnerability is fixed in release 6.8.16, so any earlier version is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. EPSS is very low (<1%) and the vulnerability is not listed in KEV, suggesting a low current exploitation probability, but the potential impact is significant. An attacker can exploit the vulnerability by sending a crafted ingestion request through an internet-facing OpenCTI instance, triggering internal HTTP calls that may affect internal services. The risk is moderate to high in environments where the ingestion feature is exposed to untrusted users.

Generated by OpenCVE AI on March 19, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCTI to version 6.8.16 or later to receive the vendor fix
  • Verify that the data ingestion feature no longer accepts arbitrary URLs by testing with a non‑trusted URL
  • If an upgrade is not immediately possible, restrict or disable the data ingestion endpoint for untrusted sources until a patch can be applied
  • Continuously monitor outbound requests from the OpenCTI instance for suspicious or unexpected traffic

Generated by OpenCVE AI on March 19, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Citeum
Citeum opencti
CPEs cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*
Vendors & Products Citeum
Citeum opencti

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Opencti-platform
Opencti-platform opencti
Vendors & Products Opencti-platform
Opencti-platform opencti

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.
Title OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Citeum Opencti
Opencti-platform Opencti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T17:52:55.089Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21887

cve-icon Vulnrichment

Updated: 2026-03-12T17:52:50.218Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T17:16:36.813

Modified: 2026-03-19T17:39:31.873

Link: CVE-2026-21887

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:52Z

Weaknesses