Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Default config permits anonymous artifact upload so PR:N; low-complexity remote XXE with scope change to other systems via blind SSRF (C:L) and high-impact entity-expansion DoS (A:H).
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
AnalysisAI
Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to submit content through Apicurio Registry's artifact-write/upload path that flows into ContentTypeUtil.isParsableXml(), and the submitted document must be XML containing a DOCTYPE with external DTD/entity references (SYSTEM identifiers) for SSRF, or nested entity definitions for DoS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point to a genuine, prioritizable issue but with nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker reaches the registry's artifact-upload API (no credentials needed against a default-config deployment) and POSTs a small XML artifact whose DOCTYPE references an external parameter entity at an attacker- or internal-pointing URL. The server's SAX parser fetches that URL, letting the attacker blind-SSRF into the internal network (e.g., probe cloud metadata or internal admin services) or, by supplying recursively nested entities, exhaust server CPU/memory to cause denial of service. … |
| Remediation | No vendor-released patch version is identified in the provided data; monitor the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-12975) and Bugzilla 2491688 (https://bugzilla.redhat.com/show_bug.cgi?id=2491688) for the fixed Apicurio Registry 3 build and apply it as the primary remediation once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apicurio Registry 3 deployments in production and staging; restrict artifact upload permissions to authenticated users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39574
GHSA-7g64-f2hm-vjxp