XML Entity Expansion Vulnerability in Apicurio Registry
CVE-2026-12993

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Apicurio Registry 3
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-12993?

A vulnerability in Apicurio Registry allows an attacker with artifact-write permissions to upload specially crafted XML documents that exploit internal entity expansion, potentially leading to CPU and heap exhaustion. While the DocumentBuilderAccessor has safeguards against external DTD and schema access, it fails to fully mitigate risks associated with DOCTYPE declarations and does not enable FEATURE_SECURE_PROCESSING. This can be exacerbated when the attacker sends payloads based on the billion-laughs attack method, leading to significant resource consumption on the server.

References

https://access.redhat.com/security/cve/CVE-2026-12993

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2491692

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 23, 2026

CVE-2026-12993 Data

JSON

Red Hat

What is CVE-2026-12993?

References

CVSS V3.1

Timeline