Skip to main content

Apicurio Registry CVE-2026-12975

| EUVDEUVD-2026-39574 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-25 redhat GHSA-7g64-f2hm-vjxp
8.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
vuln.today AI
9.3 CRITICAL

Default config permits anonymous artifact upload so PR:N; low-complexity remote XXE with scope change to other systems via blind SSRF (C:L) and high-impact entity-expansion DoS (A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:N/SA:N
Red Hat
8.5 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 21:54 vuln.today

DescriptionCVE.org

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.

AnalysisAI

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach registry artifact-upload API (default anonymous)
Delivery
Upload crafted XML with external DTD/entity
Exploit
SAXParser resolves external entity
Execution
Server fetches attacker/internal URL
Persist
Blind SSRF pivot or entity expansion exhausts resources
Impact
Internal probing or denial of service

Vulnerability AssessmentAI

Exploitation The attacker must be able to submit content through Apicurio Registry's artifact-write/upload path that flows into ContentTypeUtil.isParsableXml(), and the submitted document must be XML containing a DOCTYPE with external DTD/entity references (SYSTEM identifiers) for SSRF, or nested entity definitions for DoS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a genuine, prioritizable issue but with nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches the registry's artifact-upload API (no credentials needed against a default-config deployment) and POSTs a small XML artifact whose DOCTYPE references an external parameter entity at an attacker- or internal-pointing URL. The server's SAX parser fetches that URL, letting the attacker blind-SSRF into the internal network (e.g., probe cloud metadata or internal admin services) or, by supplying recursively nested entities, exhaust server CPU/memory to cause denial of service. …
Remediation No vendor-released patch version is identified in the provided data; monitor the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-12975) and Bugzilla 2491688 (https://bugzilla.redhat.com/show_bug.cgi?id=2491688) for the fixed Apicurio Registry 3 build and apply it as the primary remediation once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apicurio Registry 3 deployments in production and staging; restrict artifact upload permissions to authenticated users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy