CVE-2026-12993: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Red Hat Red Hat build of Apicurio Registry 3
CVE-2026-12993 is a vulnerability in Red Hat build of Apicurio Registry 3 where the XML parser does not disable DOCTYPE declarations or enable secure processing features, allowing an attacker with artifact-write permission to upload XML documents containing recursive entity expansions (billion-laughs attack). This can cause CPU and heap exhaustion, leading to denial of service. The default JAXP entity-expansion limit partially mitigates the impact. No specific affected versions or patches are currently detailed in the advisory.
AI Analysis
Technical Summary
The vulnerability arises because the DocumentBuilderAccessor in Apicurio Registry correctly blocks external DTD and schema access but fails to disable DOCTYPE declarations or enable the FEATURE_SECURE_PROCESSING flag. This allows an attacker with artifact-write permissions to submit XML documents with internal entity expansion payloads, specifically the billion-laughs variant, which can exhaust CPU and heap memory resources. The JAXP default limit of 64,000 entity expansions provides partial mitigation. There is no vendor advisory indication of an official fix or patch at this time.
Potential Impact
Successful exploitation results in denial of service through resource exhaustion (CPU and heap memory) caused by recursive XML entity expansion. There is no impact on confidentiality or integrity reported. The attack requires artifact-write permissions, limiting the attacker scope. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12993 for current remediation guidance. Until a fix is available, restrict artifact-write permissions to trusted users only to reduce risk. The default JAXP entity expansion limit partially mitigates the impact but does not fully prevent denial of service.
CVE-2026-12993: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Red Hat Red Hat build of Apicurio Registry 3
Description
CVE-2026-12993 is a vulnerability in Red Hat build of Apicurio Registry 3 where the XML parser does not disable DOCTYPE declarations or enable secure processing features, allowing an attacker with artifact-write permission to upload XML documents containing recursive entity expansions (billion-laughs attack). This can cause CPU and heap exhaustion, leading to denial of service. The default JAXP entity-expansion limit partially mitigates the impact. No specific affected versions or patches are currently detailed in the advisory.
CVSS v3.1
Score 6.5medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the DocumentBuilderAccessor in Apicurio Registry correctly blocks external DTD and schema access but fails to disable DOCTYPE declarations or enable the FEATURE_SECURE_PROCESSING flag. This allows an attacker with artifact-write permissions to submit XML documents with internal entity expansion payloads, specifically the billion-laughs variant, which can exhaust CPU and heap memory resources. The JAXP default limit of 64,000 entity expansions provides partial mitigation. There is no vendor advisory indication of an official fix or patch at this time.
Potential Impact
Successful exploitation results in denial of service through resource exhaustion (CPU and heap memory) caused by recursive XML entity expansion. There is no impact on confidentiality or integrity reported. The attack requires artifact-write permissions, limiting the attacker scope. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12993 for current remediation guidance. Until a fix is available, restrict artifact-write permissions to trusted users only to reduce risk. The default JAXP entity expansion limit partially mitigates the impact but does not fully prevent denial of service.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-23T12:18:15.412Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-12993","vendor":"Red Hat"}]
Threat ID: 6a3dbdc04853345fc1a9482a
Added to database: 06/25/2026, 23:46:08 UTC
Last enriched: 06/26/2026, 00:01:48 UTC
Last updated: 06/26/2026, 00:12:40 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.