CVE Catalog

CVE-2026-12992

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile - higher than 8% of all known CVEs

Summary

A server-side request forgery (SSRF) vulnerability was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs.

Risk Assessment

An attacker can exploit this vulnerability to scan the internal network, access sensitive internal services, or launch attacks against other internal systems, potentially leading to data breaches or service disruption.

Recommendation

Immediately update Apicurio Registry to a version that disables the javax.wsdl.importDocuments feature in WSDLReaderAccessor. Until the update is applied, set the VALIDITY rule to a value other than FULL and restrict Developer role permissions.

Original NVD description (English source)

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS