The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61782

CVE-2025-61782: OpenCTI SAML Auth Bypass Vulnerability

CVE-2025-61782 is an authentication bypass flaw in OpenCTI's SAML endpoint that enables open redirect attacks for phishing and credential theft. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-61782 Overview

CVE-2025-61782 is an open redirect vulnerability affecting the OpenCTI platform, an open source solution for managing cyber threat intelligence knowledge and observables. The vulnerability exists in the SAML authentication endpoint (/auth/saml/callback) where improper validation of the RelayState parameter allows attackers to redirect authenticated users to arbitrary external URLs. By manipulating this parameter, an attacker can force the server to issue a 302 redirect, enabling phishing attacks, credential theft, and arbitrary site redirection.

Critical Impact

Attackers can exploit this vulnerability to redirect users to malicious sites after SAML authentication, enabling phishing campaigns and potential credential theft through look-alike login pages.

Affected Products

  • OpenCTI Platform versions prior to 6.8.3
  • SAML-enabled OpenCTI deployments
  • Organizations using federated authentication with OpenCTI

Discovery Timeline

  • January 7, 2026 - CVE-2025-61782 published to NVD
  • January 8, 2026 - Last updated in NVD database

Technical Details for CVE-2025-61782

Vulnerability Analysis

This open redirect vulnerability (CWE-601) stems from insufficient validation of the RelayState parameter in the SAML authentication callback endpoint. The RelayState parameter is a standard SAML component that preserves the original destination URL during the authentication flow. In vulnerable versions of OpenCTI, this parameter was not properly validated to ensure it pointed to a legitimate internal URL, allowing attackers to inject arbitrary external URLs.

When a user completes SAML authentication, the application blindly trusts the RelayState value and issues a 302 HTTP redirect to whatever URL is specified. This creates a trusted redirect chain that attackers can abuse for phishing attacks, as victims believe they are interacting with the legitimate OpenCTI platform.

Root Cause

The root cause is improper URL validation in the SAML callback handler. The application failed to implement proper verification of the RelayState parameter and referer headers, allowing external URLs to be accepted as valid redirect targets. The security patch introduced improved RelayState and referer verification by comparing redirect destinations against the application's base URL.

Attack Vector

The attack leverages the network-accessible SAML authentication endpoint and requires user interaction. An attacker crafts a malicious SAML authentication request with a manipulated RelayState parameter pointing to an attacker-controlled domain. The attack flow is as follows:

  1. Attacker constructs a URL to the OpenCTI SAML endpoint with a malicious RelayState value
  2. Victim clicks the link and authenticates normally via their identity provider
  3. After successful authentication, OpenCTI issues a 302 redirect to the attacker's URL
  4. Victim lands on a phishing page that may harvest credentials or deliver malware
javascript
 import rateLimit from 'express-rate-limit';
 import contentDisposition from 'content-disposition';
 import { printSchema } from 'graphql/utilities';
-import { basePath, DEV_MODE, ENABLED_UI, logApp, OPENCTI_SESSION, PLATFORM_VERSION, AUTH_PAYLOAD_BODY_SIZE } from '../config/conf';
+import { basePath, DEV_MODE, ENABLED_UI, logApp, OPENCTI_SESSION, PLATFORM_VERSION, AUTH_PAYLOAD_BODY_SIZE, getBaseUrl } from '../config/conf';
 import passport, { isStrategyActivated, STRATEGY_CERT } from '../config/providers';
 import { HEADERS_AUTHENTICATORS, loginFromProvider, sessionAuthenticateUser, userWithOrigin } from '../domain/user';
 import { downloadFile, getFileContent, isStorageAlive, loadFile } from '../database/file-storage';

Source: GitHub Commit Details

The patch imports getBaseUrl from the configuration module, which is then used to validate that redirect destinations match the expected base URL of the OpenCTI instance, preventing redirects to external domains.

Detection Methods for CVE-2025-61782

Indicators of Compromise

  • HTTP requests to /auth/saml/callback with RelayState parameters containing external URLs
  • 302 redirects from the SAML callback endpoint to domains outside the organization
  • Unusual authentication patterns followed by redirects to unknown domains
  • User reports of being redirected to unexpected sites after SAML login

Detection Strategies

  • Monitor web application firewall (WAF) logs for SAML callback requests with suspicious RelayState values
  • Implement URL allowlisting rules to detect RelayState parameters pointing to non-internal domains
  • Configure SIEM alerts for 302 responses from /auth/saml/callback to external domains
  • Review authentication logs for patterns indicating redirect abuse

Monitoring Recommendations

  • Enable verbose logging on the OpenCTI SAML authentication endpoints
  • Set up network traffic analysis to detect redirects to newly registered or suspicious domains
  • Monitor for phishing reports that may indicate exploitation of this vulnerability
  • Track failed login attempts on external sites that may be leveraging stolen session data

How to Mitigate CVE-2025-61782

Immediate Actions Required

  • Upgrade OpenCTI to version 6.8.3 or later immediately
  • Audit authentication logs for any suspicious redirect patterns prior to patching
  • Notify users about potential phishing attempts if exploitation is suspected
  • Consider temporarily disabling SAML authentication until patching is complete

Patch Information

OpenCTI has released version 6.8.3 which addresses this vulnerability. The patch implements improved RelayState and referer verification to ensure redirect destinations are validated against the application's base URL. Organizations should upgrade immediately.

For detailed patch information, see the GitHub Release 6.8.3 and the GitHub Security Advisory GHSA-jc3f-c62g-v7qw.

Workarounds

  • Implement WAF rules to block SAML callback requests with external URLs in the RelayState parameter
  • Configure Content Security Policy (CSP) headers to restrict redirect destinations
  • Deploy a reverse proxy with URL validation for the /auth/saml/callback endpoint
  • Train users to verify URLs after authentication and report suspicious redirects
bash
# Example WAF rule to block external RelayState values (ModSecurity syntax)
SecRule ARGS:RelayState "^https?://(?!your-opencti-domain\.com)" \
    "id:100001,phase:2,deny,status:403,msg:'Blocked suspicious SAML RelayState redirect'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechOpencti
  • SeverityMEDIUM
  • CVSS Score5.4
  • EPSS Probability0.08%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-601
  • Technical References
  • GitHub Commit Details
  • GitHub Release 6.8.3
  • GitHub Security Advisory GHSA-jc3f-c62g-v7qw
  • Related CVEs
  • CVE-2025-61781: OpenCTI Auth Bypass Vulnerability
  • CVE-2026-21887: OpenCTI SSRF Vulnerability
  • CVE-2020-37041: OpenCTI Path Traversal Vulnerability
  • CVE-2020-37044: OpenCTI Reflected XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English