CVE-2026-12992
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
A server-side request forgery (SSRF) vulnerability was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs.
Risk Assessment
An attacker can exploit this vulnerability to scan the internal network, access sensitive internal services, or launch attacks against other internal systems, potentially leading to data breaches or service disruption.
Recommendation
Immediately update Apicurio Registry to a version that disables the javax.wsdl.importDocuments feature in WSDLReaderAccessor. Until the update is applied, set the VALIDITY rule to a value other than FULL and restrict Developer role permissions.
Original NVD description (English source)
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

