GHSA-ffm6-vvph-g5f5

Suggest an improvement
Source
https://github.com/advisories/GHSA-ffm6-vvph-g5f5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-ffm6-vvph-g5f5/GHSA-ffm6-vvph-g5f5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ffm6-vvph-g5f5
Aliases
Published
2026-06-22T17:01:22Z
Modified
2026-06-22T17:15:08.045739291Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
Details

Summary

The OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs.

This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems.

Impact

OpenCTI’s data ingestion feature can allow an attacker to make the application send HTTP requests to arbitrary internal or external endpoints. This means an attacker could reach internal services that are not exposed publicly, such as Elasticsearch, Redis, or RabbitMQ, and potentially extract sensitive data or manipulate internal components. In cloud environments, the attacker could target metadata services like AWS, Azure, or GCP to obtain credentials and configuration details, which could lead to full compromise of the infrastructure. Even though the SSRF is semi-blind and the attacker may not see the full response, the ability to interact with internal services can enable enumeration, data exfiltration, and in some cases remote code execution if internal APIs expose dangerous functionality.

Database specific
{
    "github_reviewed_at": "2026-06-22T17:01:22Z",
    "nvd_published_at": "2026-03-12T17:16:36Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-918"
    ],
    "severity": "HIGH"
}
References

Affected packages

PyPI / pycti

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.8.16

Affected versions

1.*
1.2.1
1.2.2
1.2.4
1.2.9
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0
4.1.1
4.1.2
4.2.1
4.2.2
4.2.3
4.2.4
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.3.0
5.3.post5310
5.3.post5311
5.3.post5312
5.3.post5314
5.3.post5315
5.3.post5316
5.3.post5317
5.3.post5318
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
5.3.11
5.3.12
5.3.13
5.3.14
5.3.15
5.3.16
5.3.17
5.4.0
5.4.1
5.5.0
5.5.post551
5.5.post552
5.5.post553
5.5.post554
5.5.post555
5.5.post556
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.6.0
5.6.post560
5.6.post561
5.6.post562
5.6.1
5.6.2
5.7.0
5.7.post570
5.7.post571
5.7.post572
5.7.post573
5.7.post574
5.7.post575
5.7.post576
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.9.0
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6
5.10.0
5.10.1
5.10.2
5.10.3
5.11.0
5.11.1
5.11.2
5.11.3
5.11.4
5.11.5
5.11.6
5.11.7
5.11.8
5.11.9
5.11.10
5.11.11
5.11.12
5.11.13
5.11.14
5.12.0
5.12.1
5.12.2
5.12.3
5.12.4
5.12.5
5.12.6
5.12.7
5.12.8
5.12.9
5.12.10
5.12.11
5.12.12
5.12.13
5.12.14
5.12.15
5.12.16
5.12.17
5.12.18
5.12.19
5.12.20
5.12.21
5.12.22
5.12.23
5.12.24
5.12.25
5.12.26
5.12.27
5.12.28
5.12.29
5.12.30
5.12.31
5.12.32
5.12.33
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.0.10
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.1.7
6.1.8
6.1.9
6.1.10
6.1.11
6.1.12
6.1.13
6.2.0
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.2.9
6.2.10
6.2.11
6.2.12
6.2.13
6.2.14
6.2.15
6.2.16
6.2.17
6.2.18
6.2.19
6.3.0
6.3.1
6.3.2
6.3.3
6.3.4
6.3.5
6.3.6
6.3.7
6.3.8
6.3.9
6.3.10
6.3.11
6.3.12
6.3.13
6.3.14
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8
6.4.9
6.4.10
6.4.11
6.5.0
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
6.5.6
6.5.7
6.5.8
6.5.9
6.5.10
6.5.11
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
6.6.7
6.6.8
6.6.9
6.6.10
6.6.11
6.6.12
6.6.13
6.6.14
6.6.15
6.6.16
6.6.17
6.6.18
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.7.6
6.7.7
6.7.8
6.7.9
6.7.10
6.7.11
6.7.12
6.7.13
6.7.14
6.7.15
6.7.16
6.7.17
6.7.18
6.7.19
6.7.20
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
6.8.6
6.8.7
6.8.8
6.8.9
6.8.10
6.8.11
6.8.12
6.8.13
6.8.14
6.8.15

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-ffm6-vvph-g5f5/GHSA-ffm6-vvph-g5f5.json"