Red Hat Apicurio Registry
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Apicurio Registry.
Recent Red Hat Apicurio Registry Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2024:7861 | (RHSA-2024:7861) Critical: Apicurio Registry (container images) release and security update [ 2.6.5 GA ] | October 9, 2024 |
By the Year
In 2026 there have been 3 vulnerabilities in Red Hat Apicurio Registry with an average score of 7.5 out of ten. Last year, in 2025 Apicurio Registry had 2 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.52.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 7.47 |
| 2025 | 2 | 6.95 |
| 2024 | 1 | 7.00 |
It may take a day or so for new Apicurio Registry vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Apicurio Registry Security Vulnerabilities
Apicurio Registry XML Entity Expansion DoS via External Entity Upload
CVE-2026-12993
6.5 - Medium
- June 25, 2026
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
XEE
Apicurio Registry WSDLReaderAccessor SSRF via WSDL Import
CVE-2026-12992
7.4 - High
- June 25, 2026
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).
SSRF
Apicurio Registry XML SSRF via External DTD Entity Fetch (CVE-2026-12975)
CVE-2026-12975
8.5 - High
- June 25, 2026
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
XXE
Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195
6.4 - Medium
- August 07, 2025
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
Smallrye Fault Tolerance OOM DoS via /metrics URI
CVE-2025-2240
7.5 - High
- March 12, 2025
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
Stack Exhaustion
Quarkus Core Env Var Leakage in Build
CVE-2024-2700
7 - High
- April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Exposure of Sensitive Information Through Environmental Variables
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Apicurio Registry or by Red Hat? Click the Watch button to subscribe.
