CVE-2026-12992
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).
Risk Assessment
The risk involves potential scanning of the internal network, access to sensitive services or data, and possible escalation of attacks to other internal systems.
Recommendation
It is recommended to immediately update Apicurio Registry to a version where the javax.wsdl.importDocuments feature is disabled, or apply a temporary workaround by changing the VALIDITY rule to something other than FULL.
Original NVD description (English source)
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

