CVE Catalog

CVE-2026-12992

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile — higher than 9% of all known CVEs

Summary

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Risk Assessment

The risk involves potential scanning of the internal network, access to sensitive services or data, and possible escalation of attacks to other internal systems.

Recommendation

It is recommended to immediately update Apicurio Registry to a version where the javax.wsdl.importDocuments feature is disabled, or apply a temporary workaround by changing the VALIDITY rule to something other than FULL.

Original NVD description (English source)

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS