Description
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
Published: 2026-06-25
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Apicurio Registry causes the content-type detection routine to instantiate a SAX parser with unsecured settings, leaving external entity resolution enabled. When an attacker provides a crafted XML document—an upload that is allowed to artifacts—the registry will fetch the external DTD or entity, resulting in blind server-side request forgery (SSRF). Additionally the unchecked entity expansion may trigger a denial-of-service condition by exhausting memory. The primary consequence is SSRF combined with potential DoS, giving attackers external network reach and availability impact.

Affected Systems

The vulnerability affects Red Hat’s build of Apicurio Registry 3. No specific sub-versions are listed in the advisory, so any instance running the vulnerable code should be considered at risk; detailed version information is not provided.

Risk and Exploitability

The CVSS score of 8.5 ranks the weakness as high severity. Because the EPSS score is not reported, the real likelihood of exploitation is unclear, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to upload artifacts, so it is limited to users with that permission or an unauthenticated registry that runs with default settings. Once the upload is successful the attack chain is straightforward: an XML file that references an external entity is parsed, leading to a blind SSRF or resource exhaustion attack.

Generated by OpenCVE AI on June 25, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Apicurio Registry that disables external entity resolution in the SAX parser.
  • Configure the registry to enable XML secure processing or explicitly set the SAXParserFactory properties to prohibit external DTD resolution.
  • Limit artifact‑write permissions or remove unauthenticated upload capability to reduce the attack surface.

Generated by OpenCVE AI on June 25, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
Title Apicurio/apicurio-registry: apicurio-registry: unhardened saxparser in content-type detection leads to blind xxe / ssrf / billion-laughs dos
First Time appeared Redhat
Redhat apicurio Registry
Weaknesses CWE-611
CPEs cpe:/a:redhat:apicurio_registry:3
Vendors & Products Redhat
Redhat apicurio Registry
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H'}

Subscriptions

Redhat Apicurio Registry
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T21:12:31.301Z

Reserved: 2026-06-23T10:44:04.308Z

Link: CVE-2026-12975

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference