EXECUTIVE SUMMARY:
CVE-2026-21887 with a CVSS score of 7.7 is a semi‑blind Server‑Side Request Forgery (SSRF) vulnerability in the OpenCTI threat‑intelligence platform (pip/pycti package) affecting all versions prior to 6.8.16. The data ingestion feature accepts a user‑supplied URL and forwards it to the Axios HTTP client, which by default allows absolute URLs; because the URL is not validated, an attacker can supply any external or internal address, causing the OpenCTI server to issue HTTP requests on its behalf. Exploitation requires only network access to the OpenCTI API and the ability to provide a malicious URL, with low privileges and no user interaction needed. Once triggered, the attacker gains the capability to probe or interact with internal services such as Elasticsearch, Redis, RabbitMQ, or cloud metadata endpoints, potentially extracting credentials, configuration data, or triggering unintended actions. The business impact includes unauthorized disclosure of sensitive internal data, disruption of critical backend services, and in worst‑case scenarios, full compromise of the surrounding infrastructure. Exploitation is contingent on the target service being reachable from the OpenCTI host and the attacker’s ability to submit URLs to the ingestion endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-21887 with a CVSS score of 7.7 is a semi‑blind Server‑Side Request Forgery (SSRF) vulnerability in the OpenCTI threat‑intelligence platform (pip/pycti package) affecting all versions prior to 6.8.16. The data ingestion feature accepts a user‑supplied URL and forwards it to the Axios HTTP client, which by default allows absolute URLs; because the URL is not validated, an attacker can supply any external or internal address, causing the OpenCTI server to issue HTTP requests on its behalf. Exploitation requires only network access to the OpenCTI API and the ability to provide a malicious URL, with low privileges and no user interaction needed. Once triggered, the attacker gains the capability to probe or interact with internal services such as Elasticsearch, Redis, RabbitMQ, or cloud metadata endpoints, potentially extracting credentials, configuration data, or triggering unintended actions. The business impact includes unauthorized disclosure of sensitive internal data, disruption of critical backend services, and in worst‑case scenarios, full compromise of the surrounding infrastructure. Exploitation is contingent on the target service being reachable from the OpenCTI host and the attacker’s ability to submit URLs to the ingestion endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-ffm6-vvph-g5f5