CVE-2026-22186 is a medium-severity XML External Entity (XXE) vulnerability affecting Open Microscopy Environment's Bio-Formats software, versions up to and including 8.3.0. The vulnerability resides in the Leica Microsystems metadata parsing component, such as the XLEF parser, which processes Leica XML-based metadata files. The root cause is the use of an insecurely configured DocumentBuilderFactory that permits external entity expansion and external Document Type Definition (DTD) loading. This misconfiguration allows an attacker to craft malicious metadata files that, when parsed, can trigger outbound network requests (enabling SSRF attacks), access local system resources that are readable by the process, or cause denial of service by exhausting resources during XML parsing. The vulnerability does not require authentication but does require user interaction in the form of processing a malicious metadata file. The CVSS 4.0 vector indicates low attack vector (local), low attack complexity, no privileges required, but user interaction is necessary. The impact on confidentiality is limited but possible due to local file access and SSRF. Integrity and availability impacts are low to medium due to potential denial of service. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. This vulnerability is classified under CWE-611, which concerns improper restriction of XML external entity references.

The primary impact of CVE-2026-22186 is the potential for attackers to leverage crafted Leica XML metadata files to perform SSRF attacks, access sensitive local files readable by the application, or cause denial of service by crashing or hanging the XML parser. For organizations relying on Bio-Formats for microscopy image data processing, this could lead to exposure of sensitive internal files or network resources, potentially leaking information or enabling further attacks within internal networks. Denial of service conditions could disrupt scientific workflows or data processing pipelines. While the attack vector is local and requires user interaction, the risk is significant in environments where untrusted or external metadata files are processed automatically or without sufficient validation. The lack of authentication requirements increases the risk if attackers can supply malicious files to users or systems processing these files. Overall, the impact is moderate but could be severe in sensitive research or clinical environments where data confidentiality and availability are critical.

To mitigate CVE-2026-22186, organizations should immediately review and restrict the processing of Leica XML metadata files from untrusted or unauthenticated sources. Implement input validation and sanitization to detect and reject XML files containing external entity declarations or DTDs. Update or patch Bio-Formats to a version that disables external entity processing or uses a securely configured XML parser; if no official patch is available, consider applying custom parser configurations that disable external entity resolution and DTD loading. Employ network-level controls to restrict outbound connections from systems processing metadata files to prevent SSRF exploitation. Monitor logs for unusual XML parsing errors or network requests triggered by metadata processing. Educate users and administrators about the risks of processing untrusted XML metadata files and enforce strict file provenance policies. Consider sandboxing or isolating the metadata parsing process to limit the impact of potential exploitation. Finally, track vendor announcements for official patches and apply them promptly once available.