{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.929Z", "datePublished": "2026-03-12T17:00:43.944Z", "dateUpdated": "2026-03-12T17:52:55.089Z"}, "containers": {"cna": {"title": "OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5"}], "affected": [{"vendor": "OpenCTI-Platform", "product": "opencti", "versions": [{"version": "< 6.8.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:00:43.944Z"}, "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform\u2019s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16."}], "source": {"advisory": "GHSA-ffm6-vvph-g5f5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T17:51:53.670909Z", "id": "CVE-2026-21887", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:52:55.089Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21887", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T17:51:53.670909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:52:50.218Z"}}], "cna": {"title": "OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature", "source": {"advisory": "GHSA-ffm6-vvph-g5f5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenCTI-Platform", "product": "opencti", "versions": [{"status": "affected", "version": "< 6.8.16"}]}], "references": [{"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5", "name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform\u2019s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:00:43.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21887", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:52:55.089Z", "dateReserved": "2026-01-05T17:24:36.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T17:00:43.944Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citeum:opencti:*:*:*:*:*:*:*:*", "matchCriteriaId": "83864C1B-398F-4EBC-BFB1-D13968FD7D06", "versionEndExcluding": "6.8.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform\u2019s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16."}, {"lang": "es", "value": "OpenCTI es una plataforma de c\u00f3digo abierto para gestionar el conocimiento y los observables de inteligencia de amenazas cibern\u00e9ticas. Antes de la versi\u00f3n 6.8.16, la funci\u00f3n de ingesta de datos de la plataforma OpenCTI acepta URLs proporcionadas por el usuario sin validaci\u00f3n y utiliza el cliente HTTP Axios con su configuraci\u00f3n predeterminada (allowAbsoluteUrls: true). Esto permite a los atacantes elaborar solicitudes a puntos finales arbitrarios, incluidos servicios internos, porque Axios aceptar\u00e1 y procesar\u00e1 URLs absolutas. Esto resulta en un SSRF semi-ciego, ya que las respuestas pueden no ser completamente visibles pero a\u00fan pueden impactar sistemas internos. Esta vulnerabilidad se corrige en la versi\u00f3n 6.8.16."}], "id": "CVE-2026-21887", "lastModified": "2026-03-19T17:39:31.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T17:16:36.813", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.8.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "opencti", "source": "cna", "vendor": "OpenCTI-Platform"}, "product": "opencti", "vendor": "opencti-platform"}], "analysis": {"en": {"generated_at": "2026-03-19T18:28:02.671637+00:00", "value": {"mitigation_remediation": ["Upgrade OpenCTI to version 6.8.16 or later to receive the vendor fix", "Verify that the data ingestion feature no longer accepts arbitrary URLs by testing with a non\u2011trusted URL", "If an upgrade is not immediately possible, restrict or disable the data ingestion endpoint for untrusted sources until a patch can be applied", "Continuously monitor outbound requests from the OpenCTI instance for suspicious or unexpected traffic"], "summary": {"action": "Patch Now", "impact": "Server Side Request Forgery (SSRF) leading to potential internal network exposure"}, "threat_synthesis": {"affected_systems": "All OpenCTI-Platform opencti deployments running a version older than 6.8.16 are affected. The vulnerability is fixed in release 6.8.16, so any earlier version is considered vulnerable.", "description_and_impact": "OpenCTI\u2019s data ingestion feature allowed user-supplied URLs to be requested without validation, using Axios with default settings that accept absolute URLs. The result is a semi\u2011blind SSRF: while the attacker may not receive the full response, the request can reach internal services and cause unintended actions. The primary impact is unauthorized access to internal resources and potential disruption of internal services.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity. EPSS is very low (<1%) and the vulnerability is not listed in KEV, suggesting a low current exploitation probability, but the potential impact is significant. An attacker can exploit the vulnerability by sending a crafted ingestion request through an internet-facing OpenCTI instance, triggering internal HTTP calls that may affect internal services. The risk is moderate to high in environments where the ingestion feature is exposed to untrusted users."}}}}, "created": "2026-03-13T09:50:56.527840+00:00", "updated": "2026-03-20T15:48:52.789498+00:00", "vendors": ["opencti-platform", "opencti-platform$PRODUCT$opencti"]}