Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Public static entry point gives AV:N/PR:N/UI:N; full RCE impact (C/I/A:H) when exploitable, but dependence on a classpath gadget outside attacker control justifies AC:H.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel
Versions Affected: before 3.0.0-M4 (libsvm document categorization module; introduced in OPENNLP-1808 and only present on the 3.x line)
Description: SvmDoccatModel.deserialize(InputStream) reads an attacker-controlled stream with java.io.ObjectInputStream and calls readObject() without an ObjectInputFilter installed. ObjectInputStream materialises every class referenced in the stream before the resulting object is cast to SvmDoccatModel, so the cast that follows readObject() executes only after the foreign object graph has already been deserialised in full.
If a Java deserialization gadget chain is available on the consumer's classpath, a crafted payload supplied to deserialize() executes arbitrary code in the JVM that loads it. Apache OpenNLP itself does not ship a known gadget chain, so the realistic risk is to downstream applications that embed the libsvm module alongside vulnerable transitive dependencies. The method is public and static, so any caller can pass an untrusted stream to it directly.
The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins.
Mitigation:
3.x users should upgrade to 3.0.0-M4.
Users who cannot upgrade immediately should treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified, and should avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks.
Articles & Coverage 1
AnalysisAI
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an application running the affected libsvm module (Apache OpenNLP 3.0.0-M1 up to <3.0.0-M4) to call the public static SvmDoccatModel.deserialize(InputStream) on a stream the attacker can influence - the entry point is unauthenticated and needs no user interaction (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects a network-reachable, unauthenticated, no-interaction flaw but deliberately caps impact at Low/Low/Low rather than the High/High/High that full RCE would imply - a reasonable acknowledgement that code execution is conditional on a gadget chain being present on the consumer's classpath, a factor outside the attacker's control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application embeds the OpenNLP libsvm module and loads a document-categorization model by passing a user-supplied or externally fetched byte stream to SvmDoccatModel.deserialize(). An attacker submits a crafted serialized payload referencing a gadget chain already present in the app's transitive dependencies; readObject() instantiates the chain before the SvmDoccatModel cast, executing attacker code in the JVM. … |
| Remediation | Vendor-released patch: 3.0.0-M4 - 3.x users of the libsvm module should upgrade to 3.0.0-M4 as the primary fix, per the Apache advisory at https://lists.apache.org/thread/c7kom0pgk9cbpfnbooh5m3g85ndf50hn (see also https://seclists.org/oss-sec/2026/q3/66). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all internal services and applications using Apache OpenNLP; document current versions via dependency scanning (Maven, Gradle, or SCA tools). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41885
GHSA-g4fv-7mf3-543r