Vulnerability in Apicurio Registry Allows Server-Side Request Forgery and Denial of Service
CVE-2026-12975

8.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Apicurio Registry 3
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-12975?

A security flaw exists in Apicurio Registry where the ContentTypeUtil.isParsableXml() method generates a SAXParserFactory without adequate secure processing configurations. This oversight enables an attacker with artifact-upload permissions, or unauthenticated access under default settings, to upload a malicious XML document. This can lead to server-side request forgery (SSRF) by fetching external DTDs or entities, and may also cause a denial of service due to entity expansion vulnerabilities.

References

https://access.redhat.com/security/cve/CVE-2026-12975

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2491688

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

CVE-2026-12975 Data

JSON

Red Hat

What is CVE-2026-12975?

References

CVSS V3.1

Timeline