CVE-2026-12975
Received Received - Intake
Blind SSRF via XML External Entity in Apicurio Registry

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Red Hat, Inc.

Description
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-12975
EUVD
EUVD-2026-39574
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apicurio registry *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Apicurio Registry's ContentTypeUtil.isParsableXml() method, which creates a SAXParserFactory without enabling secure processing or disabling external entity resolution.

An attacker who has artifact-write permission, or even an unauthenticated attacker if the registry runs with default configuration, can upload a specially crafted XML document.

This crafted XML can trigger blind server-side request forgery (SSRF) by fetching external DTD/entities or cause a denial of service (DoS) through entity expansion.

Impact Analysis

The vulnerability can lead to blind server-side request forgery (SSRF), allowing an attacker to make the server perform unintended requests to internal or external systems.

It can also cause denial of service (DoS) by exploiting entity expansion, potentially making the Apicurio Registry service unavailable.

The CVSS score of 8.5 indicates a high severity impact, with low attack complexity and no user interaction required.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12975. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart