Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-accessible upload API requires explicitly granted artifact-write permission (PR:L); only availability impacted as entity expansion exhausts JVM resources without exposing data.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
AnalysisAI
CPU and heap exhaustion in Apicurio Registry's XML artifact processing pipeline allows authenticated users with artifact-write permission to cause denial of service via billion-laughs entity expansion. The DocumentBuilderAccessor correctly blocks external DTD and schema resolution - preventing SSRF/XXE - but omits two complementary protections: disabling DOCTYPE declarations entirely and enabling JAXP's FEATURE_SECURE_PROCESSING flag, leaving the parser exposed to recursive internal entity expansion. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold artifact-write permission on the target Apicurio Registry instance - this is an explicitly granted, non-anonymous privilege confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege account with artifact-write access - obtained legitimately in a multi-tenant deployment or via credential compromise - uploads a crafted XML schema artifact containing a billion-laughs internal entity expansion payload to the Apicurio Registry API endpoint. The Registry's DocumentBuilder begins recursively expanding entity references, consuming JVM heap until either the JAXP 64,000-expansion cap is reached or memory is exhausted, rendering the Registry unresponsive to subsequent API calls. … |
| Remediation | Consult https://access.redhat.com/security/cve/CVE-2026-12993 and https://bugzilla.redhat.com/show_bug.cgi?id=2491692 for the confirmed patched release once published - an exact fix version was not present in the provided input data, so 'patch available per vendor advisory' is the most that can be confirmed at this time. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39593
GHSA-748j-wm96-4wh5