Executive Summary

CVE-2026-21887 is a high-severity vulnerability in the OpenCTI platform versions prior to 6.8.16. It occurs because the data ingestion feature accepts user-supplied URLs without proper validation and uses the Axios HTTP client with its default setting that allows absolute URLs.

This misconfiguration enables attackers to craft requests to arbitrary endpoints, including internal services that are normally not accessible externally. This leads to a semi-blind Server-Side Request Forgery (SSRF), where attackers can make the server send HTTP requests on their behalf to internal or external systems.

Although the responses may not be fully visible to the attacker, the vulnerability can still be exploited to impact internal systems by enumerating services, exfiltrating data, or potentially executing remote code if internal APIs are vulnerable.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to internal services such as Elasticsearch, Redis, or RabbitMQ that are not exposed to the public internet.

In cloud environments, attackers can exploit this to access metadata services of cloud providers like AWS, Azure, or GCP, potentially obtaining sensitive credentials and configuration details.

The attacker requires low privileges and no user interaction to exploit this vulnerability, which can lead to data enumeration, data exfiltration, and possibly remote code execution, resulting in a compromise of confidentiality and potentially the entire infrastructure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized HTTP requests originating from the OpenCTI platform to internal or external endpoints that should not normally be accessed.

Since the vulnerability allows SSRF via user-supplied URLs in the data ingestion feature, you can look for outgoing HTTP requests from the OpenCTI server to internal services such as Elasticsearch, Redis, RabbitMQ, or cloud metadata services.

Suggested commands to detect suspicious activity include:

• Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the OpenCTI server.
• Example tcpdump command to capture HTTP traffic: sudo tcpdump -i <interface> tcp port 80 or 443 and host <opencti-server-ip>
• Checking application logs for unusual URL requests or data ingestion requests containing absolute URLs.
• Using curl or wget commands to test if the OpenCTI instance accepts and processes absolute URLs in the data ingestion feature, e.g., sending crafted ingestion requests with absolute URLs to internal endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the OpenCTI platform to version 6.8.16 or later, where this vulnerability is fixed.

Until the upgrade can be performed, consider restricting network access from the OpenCTI server to internal services that should not be reachable, such as Elasticsearch, Redis, RabbitMQ, and cloud metadata services.

Additionally, review and restrict user input to the data ingestion feature to prevent supplying absolute URLs, or implement custom validation to block requests with absolute URLs.

Monitor logs and network traffic for suspicious requests and block or alert on any detected SSRF attempts.

Useful 0 Not Useful 0