Zero Day MonitorZDM

← Back to list

7.4

CVE-2026-12992EXPLOITED

red hat · red hat build of apicurio registry

Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation

Description

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).

Affected Products

Vendor	Product	Versions
red hat	red hat build of apicurio registry	—

References

https://access.redhat.com/security/cve/CVE-2026-12992(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2491691(issue-tracking, x_refsource_REDHAT)

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-12992 | Red Hat Apicurio Registry 3 Documents Feature javax.wsdl server-side request forgery

→ No new info (linked only)

CVSS 3.17.4 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-918

PublishedJun 25, 2026

Last enriched1d agov2

Tags

CVE-2026-12992

Trending Score38

Source articles1

Independent1

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-9800EXP

Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison

NONECVE-2026-9086EXP

Keycloak: keycloak: cross-site scripting (xss) via case-insensitive uri validation bypass

NONECVE-2026-9083EXP

Keycloak: keycloak: information disclosure through arbitrary filesystem path probing

HIGHCVE-2026-12993EXP

Apicurio/apicurio-registry: apicurio-registry: xml entity-expansion denial of service via internal dtd subset

NONECVE-2026-13325EXP

Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Actively Exploited

Jun 25, 2026

Updated: severity, activelyExploited, tags

Jun 26, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL, marked as actively exploited, and added new tag CVE-2026-12992.

severityactivelyExploitedtags

via VulDB

v12d ago

Initial creation