Server-Side Request Forgery Vulnerability in Apicurio Registry by Red Hat
CVE-2026-12992

7.4HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Apicurio Registry 3
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-12992?

A security flaw has been identified in Apicurio Registry where the WSDLReaderAccessor does not properly disable the javax.wsdl.importDocuments feature. When the VALIDITY rule is configured to FULL, an attacker possessing Developer-role access can exploit this vulnerability by uploading a WSDL document that contains manipulated import locations. This oversight allows the registry to make unauthorized HTTP requests to internal URLs, potentially leading to unauthorized access and data breaches. It is crucial for users of affected versions to apply necessary patches to mitigate this risk.

References

https://access.redhat.com/security/cve/CVE-2026-12992

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2491691

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

CVE-2026-12992 Data

JSON