CVE-2026-12992 | A flaw was found in Apicurio Registry. The WSDLReaderAccesso… | CVSS 7.4 HIGH

Description

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Metadata

CVE ID: CVE-2026-12992
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-23 12:14 UTC
Published: 2026-06-25 21:16 UTC
Last updated: 2026-06-25 21:35 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: Red Hat / Red Hat build of Apicurio Registry 3
Sources: cve.org · NVD

Severity & Metrics

7.4 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (2)

Vendor	Product	Platform	Versions
Red Hat	Red Hat build of Apicurio Registry 3	—	—
Red Hat	Red Hat build of Apicurio Registry 3	—	—

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.4	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (2)