Apicurio Registry XML SSRF via External DTD Entity Fetch (CVE-2026-12975)
CVE-2026-12975 Published on June 25, 2026
Apicurio/apicurio-registry: apicurio-registry: unhardened saxparser in content-type detection leads to blind xxe / ssrf / billion-laughs dos
A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs with default configuration) can upload a crafted XML document to trigger blind server-side request forgery (SSRF) via external DTD/entity fetch, or cause denial of service via entity expansion.
Vulnerability Analysis
CVE-2026-12975 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 17 days later.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2026-12975 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2026-12975
Want to know whenever a new CVE is published for Red Hat Apicurio Registry? stack.watch will email you.
