CVE-2025-26621 is a high-severity vulnerability affecting versions of the OpenCTI platform prior to 6.5.2. OpenCTI is an open-source cyber threat intelligence management platform that allows users to organize and analyze threat data. The vulnerability arises from improper control over code generation (CWE-94), specifically in the management of webhook customizations. Users with the 'manage customizations' capability can edit webhooks that execute arbitrary JavaScript code. This flaw enables an attacker with such privileges to perform prototype pollution attacks on the Node.js server running the OpenCTI frontend. Prototype pollution is a technique that manipulates the prototype of base objects in JavaScript, potentially altering application behavior and causing denial of service (DoS) by making the server unavailable. The vulnerability does not require user interaction but does require high privileges (manage customizations). The CVSS 3.1 score is 7.6 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, no confidentiality impact, limited integrity impact, and high availability impact. The issue was fixed in version 6.5.2 of OpenCTI. No known exploits are reported in the wild yet, but the potential for DoS and integrity compromise in a critical threat intelligence platform is significant. This vulnerability could disrupt the availability of OpenCTI services, impacting organizations relying on it for cyber threat intelligence operations.

For European organizations using OpenCTI, this vulnerability poses a significant risk to the availability and integrity of their cyber threat intelligence infrastructure. Since OpenCTI is used to manage and analyze threat data, a denial of service attack could interrupt threat monitoring, delay incident response, and reduce situational awareness. This disruption could increase the window of exposure to other cyber threats. Additionally, the integrity impact, while limited, could allow malicious modifications to webhook behavior, potentially leading to inaccurate threat data or further exploitation. Organizations in sectors with high reliance on threat intelligence platforms—such as government agencies, critical infrastructure operators, financial institutions, and large enterprises—may face operational and security risks if this vulnerability is exploited. The requirement for high privileges limits the attack surface to insiders or compromised accounts, but insider threats or privilege escalation scenarios could enable exploitation. The absence of known exploits in the wild provides a window for proactive patching and mitigation.

European organizations should immediately upgrade OpenCTI to version 6.5.2 or later to remediate this vulnerability. Until upgrading, strict access controls must be enforced to limit the 'manage customizations' capability to trusted administrators only. Implement monitoring and alerting on webhook configuration changes to detect unauthorized modifications. Conduct regular audits of user privileges and webhook configurations. Employ runtime application self-protection (RASP) or Web Application Firewall (WAF) rules to detect and block suspicious JavaScript execution patterns related to prototype pollution. Additionally, segregate the OpenCTI frontend server in a secure network segment with limited access to reduce exposure. Organizations should also review logs for unusual activity indicative of prototype pollution attempts or DoS conditions. Finally, incorporate this vulnerability into incident response plans to ensure rapid detection and remediation if exploitation is suspected.