Skip to main content

Apache Calcite EUVDEUVD-2026-33906

| CVE-2026-46718 MEDIUM
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-06-02 apache GHSA-c2rv-hwqm-wjpg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 02, 2026 - 16:22 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
6.5 (MEDIUM)
Patch available
Jun 02, 2026 - 11:00 EUVD
CVE Published
Jun 02, 2026 - 09:17 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 02, 2026 - 09:17 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 20 maven packages depend on org.apache.calcite:calcite-core (9 direct, 11 indirect)

Ecosystem-wide dependent count for version 1.5.0.

DescriptionCVE.org

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite.

This issue affects Apache Calcite: from 1.5.0 before 1.42.

Users are recommended to upgrade to version 1.42, which fixes the issue.

AnalysisAI

Unsafe reflection in Apache Calcite 1.5.0 through 1.41 allows unauthenticated remote attackers to supply externally-controlled input that influences class or code selection at runtime, resulting in partial confidentiality and integrity impact (CVSS C:L/I:L). The vulnerability stems from CWE-470, where user-supplied input is used unsanitized to drive Java reflection operations. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (7th percentile) indicates low community-assessed exploitation probability at time of analysis.

Technical ContextAI

Apache Calcite is a widely embedded SQL query parsing, planning, and optimization framework used as a foundational library by Apache Hive, Flink, Drill, Phoenix, and others. CWE-470 (Use of Externally-Controlled Input to Select Classes or Code) describes a class of vulnerability where attacker-supplied strings are passed to reflective class-loading APIs (e.g., Class.forName(), newInstance()) without adequate allowlisting or validation. This allows an attacker to influence which Java class is instantiated or which code path is invoked. The affected CPE is cpe:2.3:a:apache_software_foundation:apache_calcite:*:*:*:*:*:*:*:*, spanning all releases from 1.5.0 up to but not including 1.42. Because Calcite is typically embedded rather than exposed directly, the practical attack surface depends on how the consuming application exposes Calcite's query or expression parsing interfaces to untrusted input.

RemediationAI

Upgrade Apache Calcite to version 1.42 or later, which contains the vendor-confirmed fix per the Apache mailing list advisory at https://lists.apache.org/thread/9s37svo343w5ck1ovh478lkzcqk4949w and the oss-security disclosure at http://www.openwall.com/lists/oss-security/2026/06/01/7. For downstream projects embedding Calcite as a transitive dependency, update the dependency version in your build configuration (Maven, Gradle) and re-release. If an immediate upgrade is not feasible, a compensating control is to restrict the application layer so that untrusted external input cannot reach Calcite's class-selection or plugin-loading interfaces - for example, by validating and allowlisting any user-supplied type names, function names, or driver class identifiers before they are passed to Calcite. This allowlist approach has the trade-off of requiring ongoing maintenance as legitimate class references change. Blocking network access to query endpoints is not a practical workaround for embedded deployments but can reduce exposure in cases where Calcite-backed REST or JDBC endpoints are publicly reachable.

Vendor StatusVendor

Share

EUVD-2026-33906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy