Skip to main content

Apache OpenNLP CVE-2026-42027

| EUVDEUVD-2026-27005 CRITICAL
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-05-04 apache GHSA-cx4m-2p55-rw7j
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Generated
May 05, 2026 - 16:24 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
9.8 (CRITICAL)
Patch available
May 04, 2026 - 18:32 EUVD
Patch released
May 04, 2026 - 18:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 17:15 euvd
EUVD-2026-27005
CVE Published
May 04, 2026 - 16:43 nvd
N/A

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.apache.opennlp:opennlp-tools (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.0.0-M1.

DescriptionCVE.org

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader

Versions Affected: before 2.5.9, before 3.0.0-M3

Description:

The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class.

Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check.

Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.

Mitigation:

  • 2.x users should upgrade to 2.5.9.
  • 3.x users should upgrade to 3.0.0-M3.

Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes.

Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.

AnalysisAI

Apache OpenNLP's model loading mechanism executes arbitrary static initializers through crafted manifest entries, enabling attackers to trigger side effects in any classpath class before type validation occurs. Affects OpenNLP versions before 2.5.9 and 3.0.0-M3. While not direct RCE, exploitation becomes viable when third-party models from untrusted sources (community repositories, model-sharing platforms) are loaded in environments containing classes with JNDI lookups, network I/O, or filesystem operations in static initializers. EPSS score of 0.29% suggests low widespread exploitation probability despite CVSS 9.8, though attack surface grows with model-sharing ecosystem adoption. No public exploit identified at time of analysis; vendor-released patches available.

Technical ContextAI

Apache OpenNLP is a natural language processing library that loads trained models from archive files containing manifest.properties. The ExtensionLoader.instantiateExtension() method reads fully-qualified class names from model manifests (factory= and serializer-class-* entries) and invokes Class.forName() with default initialization semantics to load BaseToolFactory or ArtifactSerializer implementations. Java's Class.forName() executes the target class's static initializer block before returning the Class object. The vulnerability (CWE-470: Use of Externally-Controlled Input to Select Classes or Code) arises because type validation via isAssignableFrom() occurs after class initialization has already executed, allowing attackers to trigger static initializers of arbitrary classpath classes by naming them in a malicious model manifest. The attack leverages Java's class loading order: static initializers run during the linking phase, before any explicit constructor invocation or type checking. Classes with side-effecting static initializers become exploitation gadgets similar to Java deserialization chains, though the attack surface here depends on classpath composition rather than serialization libraries.

RemediationAI

Upgrade to Apache OpenNLP 2.5.9 for 2.x deployments or 3.0.0-M3 for 3.x deployments, both available from the Apache OpenNLP project page and Maven Central. The patched versions implement a package-prefix allowlist that is enforced before Class.forName() execution, preventing static initializer invocation for disallowed classes. By default, only the opennlp.* package namespace remains permitted. Organizations using custom BaseToolFactory or ArtifactSerializer implementations outside the opennlp package must explicitly allowlist those packages via ExtensionLoader.registerAllowedPackage(String) API calls before model loading, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of approved package prefixes. For deployments unable to upgrade immediately, implement strict model provenance controls: (1) accept models only from cryptographically signed sources with verified publisher identities, (2) audit the application classpath for classes with side-effecting static initializers, particularly those performing JNDI lookups (javax.naming.InitialContext in static blocks), network operations (java.net.URL, HTTP clients), or filesystem writes, (3) consider running model loading in a sandboxed JVM with SecurityManager policies restricting network and filesystem access, though note that SecurityManager is deprecated in Java 17+ and this mitigation adds operational complexity. The workaround approach trades convenience for security-strict provenance validation may break workflows dependent on community model repositories.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-42027 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy