CVE-2026-22186 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting the Open Microscopy Environment's Bio-Formats software up to version 8.3.0. The vulnerability is located in the Leica Microsystems metadata parsing component, such as the XLEF parser, which processes Leica XML-based metadata files. The root cause is the use of an insecurely configured DocumentBuilderFactory that permits external entity expansion and loading of external Document Type Definitions (DTDs). An attacker can craft a malicious metadata file that, when parsed by the vulnerable component, triggers outbound network requests (leading to SSRF), accesses local files readable by the application, or causes denial of service by exhausting resources during XML parsing. This can compromise confidentiality by exposing local files, impact availability through denial of service, and integrity if the attacker influences processing outcomes. The vulnerability does not require authentication or privileges but does require user interaction to open or process the malicious metadata file. Although no exploits are currently known in the wild, the vulnerability poses a moderate risk given the sensitive nature of microscopy data and the environments where Bio-Formats is deployed, such as biomedical research institutions and healthcare organizations. The CVSS 4.6 score reflects a medium severity with local attack vector, low complexity, no privileges required, and user interaction needed.

For European organizations, particularly those in biomedical research, healthcare, and academic institutions that utilize Bio-Formats for microscopy image data management, this vulnerability could lead to unauthorized disclosure of sensitive research data or patient information through SSRF or local file access. Denial of service attacks could disrupt critical research workflows or diagnostic processes. The ability to trigger outbound network requests may also allow attackers to pivot within internal networks or exfiltrate data. Given the specialized nature of the software, the impact is concentrated but significant in sectors relying on accurate and secure microscopy data processing. Additionally, regulatory frameworks such as GDPR impose strict data protection requirements, so any data leakage could result in legal and financial consequences.

Organizations should immediately audit their use of Bio-Formats and identify instances where Leica Microsystems metadata parsing is employed. Since no official patch links are provided, mitigation should focus on disabling external entity processing in the XML parser configuration by securely configuring the DocumentBuilderFactory to disallow external entity expansion and external DTD loading. This can be done by setting features such as 'http://apache.org/xml/features/disallow-doctype-decl' to true and disabling external general entities and parameter entities. Additionally, implement strict input validation and sanitization for all metadata files before processing. Restrict network egress from systems processing these files to prevent SSRF exploitation. Monitor logs for unusual XML parsing errors or outbound requests triggered by metadata processing. Finally, maintain awareness for official patches or updates from the Open Microscopy Environment project and apply them promptly once available.