Skip to main content

Apicurio Registry EUVDEUVD-2026-39577

| CVE-2026-12992 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-25 redhat GHSA-rcmh-vfq7-8gf4
7.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
5.0 MEDIUM

Developer-role auth gives PR:L and network reach AV:N/AC:L; SSRF is primarily a confidentiality/recon primitive (C:L) with scope change (S:C), while integrity/availability impact on internal targets is too situational to assert.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Red Hat
7.4 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 21:53 vuln.today

DescriptionCVE.org

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

AnalysisAI

Server-side request forgery in Red Hat Build of Apicurio Registry 3 allows a Developer-role user to coerce the registry server into issuing HTTP requests to arbitrary internal URLs. The flaw stems from the WSDLReaderAccessor instantiating a wsdl4j WSDLReader with the javax.wsdl.importDocuments feature left enabled, so a crafted WSDL artifact with attacker-controlled import locations is fetched when content validation runs at FULL strictness. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Developer-role access to registry
Delivery
Craft WSDL with malicious import URL
Exploit
Upload artifact triggering FULL validation
Execution
Server fetches attacker-controlled internal URL
Impact
Harvest internal service responses / pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account holding the Developer role (CVSS PR:L) and the registry's VALIDITY content rule must be set to FULL - this is the explicit configuration trigger named in the description; with validation disabled or set to syntax-only the import locations are not dereferenced. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, 7.4) reflects a network-reachable, low-complexity attack that needs low privileges (PR:L, the Developer role) and no user interaction, with a changed scope because the SSRF reaches systems beyond the registry's own security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a Developer-role account on an Apicurio Registry 3 instance that has the VALIDITY rule set to FULL uploads a WSDL artifact whose <wsdl:import> location points at an internal-only address such as http://169.254.169.254/latest/meta-data/ or an internal admin service. During full validation the registry server dereferences that location, letting the attacker map internal services or pull data reachable only from the server. …
Remediation No vendor-released patch version is identified in the available data; consult the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-12992) and Bugzilla 2491691 (https://bugzilla.redhat.com/show_bug.cgi?id=2491691) for the fixed release and upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Red Hat Build of Apicurio Registry 3 and document which instances have FULL strictness validation enabled (non-default setting). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-39577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy