Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (multiple infrastructure services) allows Serialized Data External Linking, Data Serialization External Entities Blowup.
Summary
| CVE | CVE-2026-4374 |
|---|---|
| State | PUBLISHED |
| Assigner | RTI |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-01 02:16:03 UTC |
| Updated | 2026-06-17 19:18:09 UTC |
| Description | Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Cloud Discovery Service, Recording Service, Routing Service, Queueing Service, Observability Collector) allows Serialized Data External Linking, Data Serialization External Entities Blowup.<p>This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.1.0 before 7.3.1.1, from 6.1.0 before 6.1.2.34, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*.</p> |
Risk And Classification
Primary CVSS: v4.0 8.8 HIGH from 3f572a00-62e2-4423-959a-7ea25eff1638
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000490000 probability, percentile 0.149590000 (date 2026-04-07)
Problem Types: CWE-611 | CWE-611 CWE-611 Improper Restriction of XML External Entity Reference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 3f572a00-62e2-4423-959a-7ea25eff1638 | Secondary | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
| 4.0 | CNA | CVSS | 7 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
NoneAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rti | Connext Professional | All | All | All | All |
| Application | Rti | Connext Professional | All | All | All | All |
| Application | Rti | Connext Professional | All | All | All | All |
| Application | Rti | Connext Professional | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | RTI | Connext Professional | affected 7.4.0 7.7.0 custom | Not specified |
| CNA | RTI | Connext Professional | affected 7.1.0 7.3.1.1 custom | Not specified |
| CNA | RTI | Connext Professional | affected 6.1.0 6.1.2.34 custom | Not specified |
| CNA | RTI | Connext Professional | affected 6.0.0 6.0.* custom | Not specified |
| CNA | RTI | Connext Professional | affected 5.3.0 5.3.* custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.rti.com/vulnerabilities | 3f572a00-62e2-4423-959a-7ea25eff1638 | www.rti.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.