CVE-2026-21887 is a Server-Side Request Forgery (SSRF) vulnerability identified in the OpenCTI-Platform, an open-source cyber threat intelligence management tool. The flaw exists in versions prior to 6.8.16 within the data ingestion component, which accepts user-supplied URLs without adequate validation. The platform uses the Axios HTTP client with its default setting (allowAbsoluteUrls: true), allowing absolute URLs to be processed. This configuration permits attackers with at least low-level privileges to craft requests targeting arbitrary endpoints, including internal network services that are typically inaccessible externally. The SSRF is semi-blind, meaning attackers may not receive full response data but can still cause the server to interact with internal systems, potentially leaking sensitive information or enabling further attacks. The vulnerability impacts confidentiality by exposing internal resources but does not affect data integrity or availability. The CVSS v3.1 score is 7.7 (high severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and a scope change. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to organizations relying on vulnerable OpenCTI versions. The issue was resolved in version 6.8.16 by implementing proper URL validation and restricting Axios configuration to prevent absolute URL requests.

The primary impact of CVE-2026-21887 is on the confidentiality of internal systems and services accessible from the OpenCTI server. Attackers exploiting this SSRF vulnerability can make the server send requests to internal endpoints, potentially accessing sensitive data, metadata, or administrative interfaces not exposed externally. This can lead to information disclosure, reconnaissance of internal network topology, and possibly facilitate lateral movement or further exploitation within the victim's environment. Although the SSRF is semi-blind and does not directly compromise data integrity or availability, the exposure of internal services can be leveraged in multi-stage attacks. Organizations using OpenCTI for threat intelligence management may have sensitive operational data at risk. The vulnerability requires at least low privileges on the platform, so insider threats or compromised user accounts increase risk. The widespread use of OpenCTI in cybersecurity teams globally means that many organizations, especially those in critical infrastructure and government sectors, could be targeted. Failure to patch this vulnerability could result in unauthorized internal network access and data leakage.

1. Upgrade OpenCTI-Platform to version 6.8.16 or later, where the vulnerability is fixed. 2. Restrict access to the data ingestion feature to trusted users only, minimizing the risk of malicious URL submissions. 3. Implement network segmentation and firewall rules to limit the OpenCTI server's ability to reach sensitive internal endpoints unnecessarily. 4. Monitor and log all outgoing HTTP requests from the OpenCTI server to detect unusual or unauthorized access attempts. 5. If upgrading immediately is not possible, consider disabling or restricting the data ingestion feature temporarily. 6. Conduct regular audits of user privileges within OpenCTI to ensure that only necessary users have access to features that accept external input. 7. Employ web application firewalls (WAFs) or proxy solutions that can detect and block SSRF patterns targeting internal resources. 8. Educate administrators and users about the risks of SSRF and the importance of validating URLs before ingestion.