OpenCTI May Bypass Introspection Restriction
The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query.
Advisories for Pypi/Pycti package
2026
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
The OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems.
OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd
An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization.