Apicurio Registry XML Entity Expansion DoS via External Entity Upload
CVE-2026-12993 Published on June 25, 2026
Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset
A flaw was found in Apicurio Registry. The DocumentBuilderAccessor correctly blocks external DTD and schema access but does not disable DOCTYPE declarations or enable FEATURE_SECURE_PROCESSING. An attacker with artifact-write permission can upload XML documents with internal entity-expansion payloads (billion-laughs variant) that cause CPU and heap exhaustion, partially mitigated by the JAXP default 64,000 entity-expansion limit.
Vulnerability Analysis
CVE-2026-12993 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 17 days later.
Weakness Type
What is a XEE Vulnerability?
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
CVE-2026-12993 has been classified to as a XEE vulnerability or weakness.
Products Associated with CVE-2026-12993
Want to know whenever a new CVE is published for Red Hat Apicurio Registry? stack.watch will email you.
