Executive Summary

CVE-2026-12993 is a vulnerability in Apicurio Registry's XML parsing infrastructure. The issue occurs because the DocumentBuilderAccessor blocks external entity fetching but does not disable DOCTYPE declarations or enable the FEATURE_SECURE_PROCESSING security feature.

This allows an attacker with artifact-write permission to upload malicious XML documents containing internal entity-expansion payloads, such as the billion-laughs attack, which causes exponential consumption of CPU and memory resources.

Although the default Java runtime limits entity expansions to 64,000, this only partially mitigates the attack, and repeated or parallel uploads can still exhaust CPU and heap memory, leading to denial of service.

The vulnerability also exists in SchemaFactoryAccessor.java, where security properties are ignored if rejected by the runtime, leaving the XML parser unhardened.

The recommended fix is to explicitly enable disallow-doctype-decl and FEATURE_SECURE_PROCESSING features and to modify SchemaFactoryAccessor to fail-closed by throwing exceptions when security properties are rejected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) attack against the Apicurio Registry service.

An attacker with artifact-write permission can upload specially crafted XML documents that cause excessive CPU and heap memory consumption, potentially overwhelming the system.

Such resource exhaustion can degrade service availability for all users and tenants relying on the registry, causing outages or performance degradation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual CPU and heap usage spikes on the Apicurio Registry pods or servers, especially during artifact uploads.

Since the attack involves uploading XML documents with internal entity-expansion payloads (billion-laughs variant), inspecting logs or network traffic for XML uploads containing DOCTYPE declarations or large numbers of entity expansions may help identify exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

• Using system monitoring tools like top, htop, or similar to detect CPU and memory exhaustion on the registry service.
• Using network packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze XML payloads for DOCTYPE declarations.
• Reviewing application logs for artifact-write operations that include suspicious XML content.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves hardening the XML parsing configuration in Apicurio Registry by explicitly enabling the disallow-doctype-decl feature and FEATURE_SECURE_PROCESSING in the DocumentBuilderAccessor and SchemaFactoryAccessor components.

Additionally, modifying SchemaFactoryAccessor to fail-closed by throwing an exception when security properties are rejected will prevent the factory from remaining unhardened.

Until patches are applied, monitoring and limiting artifact-write permissions to trusted users can reduce the risk of exploitation.

Also, consider applying resource limits and quotas on the registry pods to mitigate the impact of potential denial of service attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Apicurio Registry allows an attacker with artifact-write permission to cause denial of service via XML entity-expansion attacks, leading to CPU and heap exhaustion. This can degrade service availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service vulnerabilities can impact availability requirements that are part of many security frameworks and regulations.

Therefore, this vulnerability could negatively affect compliance with regulations that mandate system availability and resilience, but no direct linkage or specific compliance impact is detailed in the provided information.

Useful 0 Not Useful 0