CVE-2026-4374
Published: 01 April 2026
Summary
CVE-2026-4374 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Rti Connext Professional. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4374 is an Improper Restriction of XML External Entity Reference vulnerability (CWE-611) in RTI Connext Professional, affecting the Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service. The issue enables Serialized Data External Linking and Data Serialization flaws. It was published on 2026-04-01 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation can result in high impacts to confidentiality and availability, allowing unauthorized access to sensitive data and disruption of service.
Mitigation guidance and patches are detailed in the RTI vulnerability advisory at https://www.rti.com/vulnerabilities/#cve-2026-4374.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17765
Vulnerability details
Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Routing Service,Observability Collector,Recording Service,Queueing Service,Cloud Discovery Service) allows Serialized Data External Linking, Data Serializat...
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated XXE in exposed services directly enables T1190 for initial exploitation and T1005 for local file/data access via external entity processing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and timely remediation of the XXE flaw in RTI Connext services via patching as detailed in the RTI advisory.
Requires validation of XML inputs to block improper external entity references that enable unauthorized data access and service disruption.
Enforces secure configuration settings for XML parsers in affected RTI services to disable external entity processing and mitigate serialization flaws.