CVE-2026-12992 - Vulnerability Details

- Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation

Description

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Published: 2026-06-25

Score: 7.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in Apicurio Registry when the WSDLReaderAccessor creates a wsdl4j WSDLReader that still allows the javax.wsdl.importDocuments feature. With VALIDITY set to FULL, an attacker who can upload a WSDL document—by virtue of Developer‑role privileges—can embed attacker-controlled import URLs. The registry then issues HTTP requests to those URLs, giving the attacker access to arbitrary internal addresses. This behavior constitutes a classic SSRF, capable of internal network reconnaissance or data exfiltration, and is classified as CWE‑918.

Affected Systems

The vulnerability affects the Red Hat build of Apicurio Registry version 3, as identified by the CPE cpe:/a:redhat:apicurio_registry:3. Any deployment that permits Developer‑role users to upload WSDL files with FULL validation enabled is vulnerable; no other vendors or product versions are noted.

Risk and Exploitability

The CVSS score of 7.4 signifies a moderate‑high severity with high exploitation difficulty. EPSS data is not available, and the issue is not listed in CISA KE exploitation reports yet. Exploitation requires that the attacker already has Developer‑role access, after which the SSRF can target internal services over HTTP or HTTPS. Consequently, the risk is significant for environments where internal services are exposed and Developer permissions are distributed broadly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat build of Apicurio Registry 3	affected	—
Red Hat	Red Hat build of Apicurio Registry 3	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch for Apicurio Registry 3 as soon as it is released.
Restrict Developer‑role permissions to trusted personnel and consider disabling the ability to upload WSDL files.
Configure wsdl4j or the registry to reject or block external import URLs during FULL validation.
Enable logging of outbound HTTP requests from the registry and monitor for unexpected destinations.

Generated by OpenCVE AI on June 25, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-12992
https://bugzilla.redhat.com/show_bug.cgi?id=2491691
https://nvd.nist.gov/vuln/detail/CVE-2026-12992
https://www.cve.org/CVERecord?id=CVE-2026-12992

History

Fri, 26 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-12992 https://www.cve.org/CVERecord?id=CVE-2026-12992
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 25 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 25 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).
Title		Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation
First Time appeared		Redhat Redhat apicurio Registry
Weaknesses		CWE-918
CPEs		cpe:/a:redhat:apicurio_registry:3
Vendors & Products		Redhat Redhat apicurio Registry
References		https://access.redhat.com/security/cve/CVE-2026-12992 https://bugzilla.redhat.com/show_bug.cgi?id=2491691
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}`

Subscriptions

Redhat Apicurio Registry

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-25T21:16:11.720Z

Updated: 2026-06-25T21:35:50.805Z

Reserved: 2026-06-23T12:14:13.060Z

Link: CVE-2026-12992

Vulnrichment

Updated: 2026-06-25T21:35:46.386Z

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-06-10T13:00:00Z

Links: CVE-2026-12992 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object