Description
Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Cloud Discovery Service, Recording Service, Routing Service, Queueing Service, Observability Collector) allows Serialized Data External Linking, Data Serialization External Entities Blowup.<p>This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.1.0 before 7.3.1.1, from 6.1.0 before 6.1.2.34, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*.</p>
Published: 2026-04-01
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RTI Connext Professional, encompassing services such as Cloud Discovery, Recording, Routing, Queueing, and Observability Collector, contains an Improper Restriction of XML External Entity (XXE) reference vulnerability. The flaw permits the processing of serialized data that references external XML entities, enabling serialized data external linking and Data Serialization External Entities Blowup. An attacker who supplies crafted XML can trigger the vulnerability, potentially reading local files, accessing network resources, or causing denial‑of‑service by exhausting resources through blowup. In severe cases, this may provide a vector for arbitrary code execution.

Affected Systems

The vulnerability affects the RTI Connext Professional product suite, specifically its Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service. Affected versions include 7.4.0 before 7.7.0, 7.1.0 before 7.3.1.1, 6.1.0 before 6.1.2.34, 6.0.0 before 6.0.*, and 5.3.0 before 5.3.*.

Risk and Exploitability

The CVSS v3.1 score is 7.0, indicating a high impact severity. EPSS score is < 1%, suggesting a low exploitation probability, and the issue is not listed in the CISA KEV catalog, indicating limited exploitation evidence. However, the attack vector is inferred to be remote through untrusted XML input, meaning an attacker could remotely inject malicious XML payloads to trigger the vulnerability. Given the nature of XXE weaknesses and the high CVSS, the risk to affected systems remains significant until mitigated.

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch when it becomes available
  • Disable XML external entity processing in all RTI Connext components if configuration options allow
  • Implement strict validation of XML inputs to reject or sanitize external entity references
  • Monitor system logs for suspicious XML parsing activity
  • Regularly check the RTI security advisory page for updates and new mitigations

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat... Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Cloud Discovery Service, Recording Service, Routing Service, Queueing Service, Observability Collector) allows Serialized Data External Linking, Data Serialization External Entities Blowup.<p>This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.1.0 before 7.3.1.1, from 6.1.0 before 6.1.2.34, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*.</p>
Title Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat... Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (multiple infrastructure services) allows Serialized Data External Linking, Data Serialization External Entities Blowup.

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat...
Title Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat...
First Time appeared Rti
Rti connext Professional
Weaknesses CWE-611
CPEs cpe:2.3:a:rti:connext_professional:*:*:*:*:*:*:*:*
Vendors & Products Rti
Rti connext Professional
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Rti Connext Professional
cve-icon MITRE

Status: PUBLISHED

Assigner: RTI

Published:

Updated: 2026-06-25T15:47:55.576Z

Reserved: 2026-03-18T10:48:52.263Z

Link: CVE-2026-4374

cve-icon Vulnrichment

Updated: 2026-04-01T14:23:36.981Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T02:16:03.540

Modified: 2026-06-17T19:18:09.953

Link: CVE-2026-4374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference