Skip to main content

Apicurio Registry EUVDEUVD-2026-39593

| CVE-2026-12993 MEDIUM
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
2026-06-26 secalert@redhat.com GHSA-748j-wm96-4wh5
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-accessible upload API requires explicitly granted artifact-write permission (PR:L); only availability impacted as entity expansion exhausts JVM resources without exposing data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today

DescriptionCVE.org

A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.

AnalysisAI

CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain artifact-write credentials
Delivery
Craft billion-laughs DOCTYPE payload
Exploit
Upload XML artifact via Registry API
Execution
DocumentBuilder expands recursive entities
Persist
JVM CPU and heap exhausted
Impact
Registry service unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold artifact-write permission on the target Apicurio Registry instance - this is an explicitly granted, non-anonymous privilege confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege account with artifact-write access - obtained legitimately in a multi-tenant deployment or via credential compromise - uploads a crafted XML schema artifact containing a billion-laughs internal entity expansion payload to the Apicurio Registry API endpoint. The Registry's DocumentBuilder begins recursively expanding entity references, consuming JVM heap until either the JAXP 64,000-expansion cap is reached or memory is exhausted, rendering the Registry unresponsive to subsequent API calls. …
Remediation Consult https://access.redhat.com/security/cve/CVE-2026-12993 and https://bugzilla.redhat.com/show_bug.cgi?id=2491692 for the confirmed patched release once published - an exact fix version was not present in the provided input data, so 'patch available per vendor advisory' is the most that can be confirmed at this time. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-39593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy