Login Sign Up

CVE-2026-22186

7.1 HIGH
Denial of Service SSRF XXE

📋 TL;DR

Bio-Formats up to version 8.3.0 contains an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parser. This allows attackers to read local files, make outbound network requests (SSRF), or cause denial of service via specially crafted XLEF metadata files. Anyone using Bio-Formats to process Leica microscopy files is affected.

💻 Affected Systems

Products:
  • Bio-Formats
Versions: All versions up to and including 8.3.0
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects processing of Leica Microsystems XML metadata files (XLEF format).

📦 What is this software?

Bio Formats by Openmicroscopy

View all CVEs affecting Bio Formats →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through SSRF to internal services, sensitive file disclosure, or complete service unavailability via DoS.

🟠

Likely Case

Local file disclosure from the server, limited SSRF to internal network resources, or temporary service disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and file processing restrictions, potentially only DoS.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only a malicious XLEF file to be processed by vulnerable Bio-Formats.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1 or later

Vendor Advisory: https://docs.openmicroscopy.org/bio-formats/

Restart Required: No

Instructions:

1. Upgrade Bio-Formats to version 8.3.1 or newer. 2. Update any applications or pipelines using Bio-Formats. 3. Test with existing Leica metadata files.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure DocumentBuilderFactory to disable XXE features before parsing XML

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

Input validation

all

Reject or sanitize XLEF files before processing

🧯 If You Can't Patch

  • Restrict network egress from Bio-Formats servers to prevent SSRF
  • Implement strict file upload controls and sandbox processing of XLEF files

🔍 How to Verify

Check if Vulnerable:

Check Bio-Formats version with 'java -jar bioformats.jar --version' or examine dependencies in your application

Check Version:

java -jar bioformats.jar --version

Verify Fix Applied:

Confirm version is 8.3.1+ and test with known malicious XLEF file

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound network connections from Bio-Formats process
  • XML parsing errors or timeouts
  • Unexpected file access patterns

Network Indicators:

  • HTTP requests to internal services from Bio-Formats server
  • DNS requests for unusual domains during file processing

SIEM Query:

source="bioformats" AND (event="xml_parse_error" OR dest_ip IN [internal_ips])

📊 Metadata

CVE ID: CVE-2026-22186
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CWE: CWE-611
EPSS Score: 0.02% exploit probability (4.9th percentile)
Published: January 7, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22186, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)