CVE-2025-61782
Unknown Unknown - Not Provided
Open Redirect in OpenCTI SAML Endpoint Enables Phishing

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61782
EUVD
EUVD-2025-206265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencti opencti to 6.8.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61782 is an open redirect vulnerability in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback) prior to version 6.8.3. The vulnerability arises because the RelayState parameter, which controls the URL to which users are redirected after authentication, is not properly validated or sanitized. An attacker can manipulate this parameter to cause the server to redirect users to any external URL, potentially leading to phishing, credential theft, and arbitrary site redirection. The vulnerability was fixed by introducing a sanitization function that ensures redirects only occur within the trusted domain. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect users from the trusted OpenCTI platform to malicious external websites. This can facilitate phishing attacks, credential theft, arbitrary site redirection, and potentially malware distribution. Exploitation undermines trust in the authentication process and can lead to compromised user credentials or tokens, reputational damage, and increased risk of social engineering attacks. [2]

Compliance Impact

Exploitation of this vulnerability can lead to credential theft and unauthorized access to user information, which may result in violations of data protection regulations such as GDPR and HIPAA. The resulting data breaches or unauthorized disclosures could cause non-compliance with these standards, leading to legal and financial consequences. [2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP 302 redirects issued by the OpenCTI platform's /auth/saml/callback endpoint that redirect users to external URLs not belonging to the trusted domain. Look for suspicious RelayState parameter values causing redirects to external domains. Additionally, check logs for informational messages about altered or invalid referer URLs during authentication callbacks, as the patched version logs such events. Specific commands are not provided, but you can use network monitoring tools (e.g., tcpdump, Wireshark) or web server access logs to identify unexpected redirects from the /auth/saml/callback endpoint to external URLs. [1, 2]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the OpenCTI platform to version 6.8.3 or later, where the issue has been patched by sanitizing and validating the RelayState parameter to prevent open redirects. Until the upgrade is applied, restrict access to the /auth/saml/callback endpoint if possible, monitor for suspicious redirects, and educate users about potential phishing risks stemming from manipulated redirects. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart