CVE-2026-21887
Published: 12 March 2026
Summary
CVE-2026-21887 is a high-severity SSRF (CWE-918) vulnerability in Citeum Opencti. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of validation on user-supplied URLs in OpenCTI's data ingestion feature, preventing SSRF by enforcing validity checks before processing.
Requires identification and timely remediation of the specific SSRF flaw in OpenCTI prior to version 6.8.16 through patching.
Restricts user-supplied URL inputs based on characteristics like schemes, hosts, or ports to block requests to internal services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing OpenCTI data ingestion directly enables T1190 by allowing unauthenticated requests to internal endpoints from the server.
NVD Description
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true).…
more
This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.
Deeper analysisAI
CVE-2026-21887 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the OpenCTI open-source platform for managing cyber threat intelligence knowledge and observables. In versions prior to 6.8.16, the data ingestion feature accepts user-supplied URLs without validation and relies on the Axios HTTP client configured with its default allowAbsoluteUrls: true setting. This enables attackers to direct requests to arbitrary endpoints, including internal services, as Axios processes absolute URLs without restriction, resulting in a semi-blind SSRF where responses may not be fully visible to the attacker.
The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating exploitation over the network with low complexity, requiring only low privileges, no user interaction, and a changed scope with high confidentiality impact. Authenticated users with low privileges can craft malicious URLs during data ingestion to trigger requests to internal systems, potentially allowing unauthorized access to sensitive data on those systems, though the impact is limited to information disclosure without integrity or availability effects.
The vulnerability is addressed in OpenCTI version 6.8.16, as detailed in the GitHub security advisory at https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-ffm6-vvph-g5f5. Security practitioners should upgrade to the patched version to mitigate the SSRF risk.
Details
- CWE(s)