CVE-2026-12975
Analyzed Analyzed - Analysis Complete

Blind SSRF via XML External Entity in Apicurio Registry

Vulnerability report for CVE-2026-12975, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-15

Assigner: Red Hat, Inc.

Description

A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_apicurio_registry From 3.0 (inc) to 3.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Apicurio Registry's ContentTypeUtil.isParsableXml() method, which creates a SAXParserFactory without enabling secure processing or disabling external entity resolution.

An attacker who has artifact-write permission, or even an unauthenticated attacker if the registry runs with default configuration, can upload a specially crafted XML document.

This crafted XML can trigger blind server-side request forgery (SSRF) by fetching external DTD/entities or cause a denial of service (DoS) through entity expansion.

Impact Analysis

The vulnerability can lead to blind server-side request forgery (SSRF), allowing an attacker to make the server perform unintended requests to internal or external systems.

It can also cause denial of service (DoS) by exploiting entity expansion, potentially making the Apicurio Registry service unavailable.

The CVSS score of 8.5 indicates a high severity impact, with low attack complexity and no user interaction required.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring artifact upload requests to the Apicurio Registry, especially REST API calls like POST /apis/registry/v2/groups/{g}/artifacts where the Content-Type header is omitted or set to application/xml.

Detection involves looking for suspicious XML payloads that may contain external entity definitions or DTD declarations which could trigger SSRF or DoS attacks.

Network detection can include monitoring outbound HTTP requests initiated by the server during artifact uploads, which may indicate blind SSRF attempts.

While no specific commands are provided in the resources, typical detection commands could include using network monitoring tools like tcpdump or Wireshark to capture outbound requests from the server during artifact uploads, or using application logs to identify uploads with XML content lacking hardened parsing.

Mitigation Strategies

Immediate mitigation involves hardening the SAXParser used in the ContentTypeUtil.isParsableXml() method by enabling secure processing features.

  • Enable the 'disallow-doctype-decl' feature to prevent processing of DOCTYPE declarations.
  • Enable 'secure-processing' to limit XML processing capabilities and prevent resource exhaustion.
  • Disable external entity resolution to block external DTD/entity fetches that can lead to SSRF.

Additionally, restrict artifact-write permissions to trusted users and avoid running the registry with default configurations that allow unauthenticated uploads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart