CVE Vulnerabilities

CVE-2026-12992

Server-Side Request Forgery (SSRF)

Published: Jun 25, 2026 | Modified: Jul 06, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.4 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Ubuntu
root.io logo minimus.io logo echo.ai logo

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

NameVendorStart VersionEnd Version
Build_of_apicurio_registryRedhat3.0 (including)3.2 (including)

References