DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21887: CVE-2026-21887: Server-Side Request Forgery in OpenCTI Data Ingestion Component

#security #cve #cybersecurity

CVE-2026-21887: Server-Side Request Forgery in OpenCTI Data Ingestion Component

Vulnerability ID: CVE-2026-21887
CVSS Score: 7.7
Published: 2026-06-22

A technical analysis of CVE-2026-21887, a Server-Side Request Forgery (SSRF) vulnerability in OpenCTI. The flaw occurs in the platform's data ingestion mechanism, which processes user-supplied feed URLs via Axios under a default configuration. Authenticated users with low privileges can exploit this to pivot into internal infrastructure, target metadata services, and scan private networks.

TL;DR

A semi-blind Server-Side Request Forgery (SSRF) in OpenCTI allows authenticated low-privileged users to probe internal network services and query cloud metadata endpoints by supplying absolute URLs to the platform's feed ingestion engine.

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.7
  • EPSS Score: 0.00212 (0.21%)
  • Impact: Semi-Blind Server-Side Request Forgery
  • Exploit Status: No Public Exploit Available
  • KEV Status: Not Listed

Affected Systems

  • OpenCTI Platform Backend
  • pycti Python Package
  • OpenCTI: < 6.8.16 (Fixed in: 6.8.16)
  • pycti: < 6.8.16 (Fixed in: 6.8.16)

Code Analysis

Commit: 177a74f

Implement strict validation and safe URL checks in ingestion modules to mitigate SSRF

Mitigation Strategies

  • Upgrade OpenCTI platform and client libraries to version 6.8.16 or higher.
  • Enforce egress network boundaries at the host/container level to block private RFC 1918 subnets.
  • Configure AWS IMDSv2 with a hop limit of 1 to protect metadata credentials.

Remediation Steps:

  1. Verify the running version of OpenCTI in the admin panel or manifest files.
  2. Update Docker Compose files or Kubernetes deployment charts to pull image tag 6.8.16 or above.
  3. Check the python environment and upgrade pycti packages using pip install --upgrade pycti.
  4. Restart the container orchestration pods to apply configurations.

References

Read the full report for CVE-2026-21887 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)