Overview

This report details the CVE-2025-26621 vulnerability that affects OpenCTI, an open-source platform utilized for managing cyber threat intelligence knowledge and observables. The vulnerability is significant due to the potential it carries for system compromise or data leakage, leading to serious consequences for organizations that leverage OpenCTI.

Vulnerability Summary

CVE ID: CVE-2025-26621
Severity: High (7.6 CVSS score)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: Potential system compromise or data leakage, denial of service

Affected Products

Product | Affected Versions

OpenCTI | Prior to 6.5.2

How the Exploit Works

The vulnerability arises from the ability of any user with manage customizations privileges to edit webhook that can execute JavaScript code. If this capability is exploited by a malicious actor, it can lead to prototype pollution that can cause a denial of service attack. This results in the node js server running the OpenCTI frontend becoming unavailable.

Conceptual Example Code

Below is a conceptual example of how the vulnerability might be exploited. This example depicts a malicious payload within a HTTP request.

POST /webhook/edit HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "webhook": "malicious_javascript_code" }

The “malicious_javascript_code” would be designed to trigger prototype pollution, leading to a denial-of-service condition on the server.

Mitigation

The most recommended mitigation strategy involves applying the patch provided by the vendor, which is available in version 6.5.2 of OpenCTI. Alternatively, using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can offer temporary mitigation. However, these should not replace the necessary action of upgrading to a patched version of OpenCTI to permanently resolve the vulnerability.