Vulnerability-Lookup

CVE-2026-42027 (GCVE-0-2026-42027)

Vulnerability from cvelistv5 – Published: 2026-05-04 16:43 – Updated: 2026-05-05 16:02

Title

Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

Summary

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.

Severity ?

No CVSS data available.

CWE

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/ltlo4powjfc0w2w2y…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache OpenNLP	Affected: 0 , < 2.5.9 (semver) Affected: 3.0 , < 3.0.0-M3 (semver)

Credits

Subramanian S

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-04T17:36:56.492Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/20"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42027",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T16:01:56.421468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T16:02:56.683Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.opennlp:opennlp-tools",
          "product": "Apache OpenNLP",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.5.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.0-M3",
              "status": "affected",
              "version": "3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Subramanian S"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eArbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\u003c/b\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eVersions Affected: \u003c/b\u003ebefore 2.5.9, before 3.0.0-M3\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eDescription:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003eExtensionLoader.instantiateExtension(Class, String)\u003c/code\u003e\u0026nbsp;method loads a class by its fully-qualified name via \u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;and invokes its no-arg constructor, with the class name sourced from the \u003ccode\u003emanifest.properties\u003c/code\u003e\u0026nbsp;entry of a model archive. The existing \u003ccode\u003eisAssignableFrom\u003c/code\u003e\u0026nbsp;check correctly rejects classes that are not subtypes of the expected extension interface (\u003ccode\u003eBaseToolFactory\u003c/code\u003e\u0026nbsp;for \u003ccode\u003efactory=\u003c/code\u003e, \u003ccode\u003eArtifactSerializer\u003c/code\u003e\u0026nbsp;for \u003ccode\u003eserializer-class-*\u003c/code\u003e), but the check runs \u003cem\u003e\u003cb\u003eafter\u003c/b\u003e\u003c/em\u003e\u0026nbsp;\u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;has already loaded and initialized the named class. \u003c/p\u003e\u003cp\u003e\u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \u003c/p\u003e\u003cp\u003eExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be \u003cb\u003epresent on the classpath\u003c/b\u003e, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate \u003ccode\u003eBaseToolFactory\u003c/code\u003e\u0026nbsp;or \u003ccode\u003eArtifactSerializer\u003c/code\u003e\u0026nbsp;subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eMitigation:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2.x users should upgrade to 2.5.9. \u003c/li\u003e\u003cli\u003e3.x users should upgrade to 3.0.0-M3. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eNote: The fix introduces a package-prefix allowlist that is consulted before \u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;is invoked, so the static initializer of a disallowed class is never executed. Classes under the \u003ccode\u003eopennlp.\u003c/code\u003e\u0026nbsp;prefix remain permitted by default. Deployments that load models referencing factories or serializers outside \u003ccode\u003eopennlp.*\u003c/code\u003e\u0026nbsp;must opt those packages in, either programmatically via \u003ccode\u003eExtensionLoader.registerAllowedPackage(String)\u003c/code\u003e\u0026nbsp;before the first model load, or by setting the \u003ccode\u003e\u003cb\u003eOPENNLP_EXT_ALLOWED_PACKAGES\u003c/b\u003e\u003c/code\u003e\u0026nbsp;system property to a comma-separated list of allowed package prefixes. \u003c/p\u003e\u003cp\u003eUsers who cannot upgrade immediately should ensure that all model files are sourced from \u003cb\u003etrusted origins\u003c/b\u003e\u0026nbsp;and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\n\n\n\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\n\n\n\nDescription:\u00a0\n\nThe ExtensionLoader.instantiateExtension(Class, String)\u00a0method loads a class by its fully-qualified name via Class.forName()\u00a0and invokes its no-arg constructor, with the class name sourced from the manifest.properties\u00a0entry of a model archive. The existing isAssignableFrom\u00a0check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory\u00a0for factory=, ArtifactSerializer\u00a0for serializer-class-*), but the check runs after\u00a0Class.forName()\u00a0has already loaded and initialized the named class. \n\nClass.forName()\u00a0with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \n\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory\u00a0or ArtifactSerializer\u00a0subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\n\n\n\n\n\nMitigation:\u00a0\n\n\n\n  *  2.x users should upgrade to 2.5.9. \n  *  3.x users should upgrade to 3.0.0-M3. \n\n\n\n\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName()\u00a0is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp.\u00a0prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.*\u00a0must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String)\u00a0before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES\u00a0system property to a comma-separated list of allowed package prefixes. \n\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins\u00a0and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T16:43:12.583Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y"
        }
      ],
      "source": {
        "defect": [
          "OPENNLP-1820"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-42027",
    "datePublished": "2026-05-04T16:43:12.583Z",
    "dateReserved": "2026-04-23T14:21:25.317Z",
    "dateUpdated": "2026-05-05T16:02:56.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42027",
      "date": "2026-05-08",
      "epss": "0.0036",
      "percentile": "0.5819"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42027\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-05-04T17:16:24.123\",\"lastModified\":\"2026-05-06T18:00:39.497\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\\n\\n\\n\\n\\n\\nVersions Affected: before 2.5.9, before 3.0.0-M3\\n\\n\\n\\n\\n\\nDescription:\u00a0\\n\\nThe ExtensionLoader.instantiateExtension(Class, String)\u00a0method loads a class by its fully-qualified name via Class.forName()\u00a0and invokes its no-arg constructor, with the class name sourced from the manifest.properties\u00a0entry of a model archive. The existing isAssignableFrom\u00a0check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory\u00a0for factory=, ArtifactSerializer\u00a0for serializer-class-*), but the check runs after\u00a0Class.forName()\u00a0has already loaded and initialized the named class. \\n\\nClass.forName()\u00a0with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \\n\\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory\u00a0or ArtifactSerializer\u00a0subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\\n\\n\\n\\n\\n\\nMitigation:\u00a0\\n\\n\\n\\n  *  2.x users should upgrade to 2.5.9. \\n  *  3.x users should upgrade to 3.0.0-M3. \\n\\n\\n\\n\\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName()\u00a0is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp.\u00a0prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.*\u00a0must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String)\u00a0before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES\u00a0system property to a comma-separated list of allowed package prefixes. \\n\\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins\u00a0and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-470\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:opennlp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.9\",\"matchCriteriaId\":\"3E73109B-BF5E-4832-B5DC-1747D3C42287\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:opennlp:3.0.0:m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"57E14048-91DB-4673-9A7B-B15675B3994A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:opennlp:3.0.0:m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E738486-C0BD-4FDB-8880-DBC2BA4C0D77\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/05/01/20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/05/01/20\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-05-04T17:36:56.492Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42027\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T16:01:56.421468Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T16:02:10.980Z\"}}], \"cna\": {\"title\": \"Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader\", \"source\": {\"defect\": [\"OPENNLP-1820\"], \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Subramanian S\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache OpenNLP\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.5.9\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0\", \"lessThan\": \"3.0.0-M3\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.opennlp:opennlp-tools\", \"collectionURL\": \"https://repo.maven.apache.org/maven2/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\\n\\n\\n\\n\\n\\nVersions Affected: before 2.5.9, before 3.0.0-M3\\n\\n\\n\\n\\n\\nDescription:\\u00a0\\n\\nThe ExtensionLoader.instantiateExtension(Class, String)\\u00a0method loads a class by its fully-qualified name via Class.forName()\\u00a0and invokes its no-arg constructor, with the class name sourced from the manifest.properties\\u00a0entry of a model archive. The existing isAssignableFrom\\u00a0check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory\\u00a0for factory=, ArtifactSerializer\\u00a0for serializer-class-*), but the check runs after\\u00a0Class.forName()\\u00a0has already loaded and initialized the named class. \\n\\nClass.forName()\\u00a0with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \\n\\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory\\u00a0or ArtifactSerializer\\u00a0subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\\n\\n\\n\\n\\n\\nMitigation:\\u00a0\\n\\n\\n\\n  *  2.x users should upgrade to 2.5.9. \\n  *  3.x users should upgrade to 3.0.0-M3. \\n\\n\\n\\n\\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName()\\u00a0is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp.\\u00a0prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.*\\u00a0must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String)\\u00a0before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES\\u00a0system property to a comma-separated list of allowed package prefixes. \\n\\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins\\u00a0and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eArbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\u003c/b\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eVersions Affected: \u003c/b\u003ebefore 2.5.9, before 3.0.0-M3\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eDescription:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003eExtensionLoader.instantiateExtension(Class, String)\u003c/code\u003e\u0026nbsp;method loads a class by its fully-qualified name via \u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;and invokes its no-arg constructor, with the class name sourced from the \u003ccode\u003emanifest.properties\u003c/code\u003e\u0026nbsp;entry of a model archive. The existing \u003ccode\u003eisAssignableFrom\u003c/code\u003e\u0026nbsp;check correctly rejects classes that are not subtypes of the expected extension interface (\u003ccode\u003eBaseToolFactory\u003c/code\u003e\u0026nbsp;for \u003ccode\u003efactory=\u003c/code\u003e, \u003ccode\u003eArtifactSerializer\u003c/code\u003e\u0026nbsp;for \u003ccode\u003eserializer-class-*\u003c/code\u003e), but the check runs \u003cem\u003e\u003cb\u003eafter\u003c/b\u003e\u003c/em\u003e\u0026nbsp;\u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;has already loaded and initialized the named class. \u003c/p\u003e\u003cp\u003e\u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \u003c/p\u003e\u003cp\u003eExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be \u003cb\u003epresent on the classpath\u003c/b\u003e, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate \u003ccode\u003eBaseToolFactory\u003c/code\u003e\u0026nbsp;or \u003ccode\u003eArtifactSerializer\u003c/code\u003e\u0026nbsp;subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003e\u003cb\u003eMitigation:\u003c/b\u003e\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e2.x users should upgrade to 2.5.9. \u003c/li\u003e\u003cli\u003e3.x users should upgrade to 3.0.0-M3. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eNote: The fix introduces a package-prefix allowlist that is consulted before \u003ccode\u003eClass.forName()\u003c/code\u003e\u0026nbsp;is invoked, so the static initializer of a disallowed class is never executed. Classes under the \u003ccode\u003eopennlp.\u003c/code\u003e\u0026nbsp;prefix remain permitted by default. Deployments that load models referencing factories or serializers outside \u003ccode\u003eopennlp.*\u003c/code\u003e\u0026nbsp;must opt those packages in, either programmatically via \u003ccode\u003eExtensionLoader.registerAllowedPackage(String)\u003c/code\u003e\u0026nbsp;before the first model load, or by setting the \u003ccode\u003e\u003cb\u003eOPENNLP_EXT_ALLOWED_PACKAGES\u003c/b\u003e\u003c/code\u003e\u0026nbsp;system property to a comma-separated list of allowed package prefixes. \u003c/p\u003e\u003cp\u003eUsers who cannot upgrade immediately should ensure that all model files are sourced from \u003cb\u003etrusted origins\u003c/b\u003e\u0026nbsp;and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-470\", \"description\": \"CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-05-04T16:43:12.583Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42027\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T16:02:56.683Z\", \"dateReserved\": \"2026-04-23T14:21:25.317Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-05-04T16:43:12.583Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-CX4M-2P55-RW7J

Vulnerability from github – Published: 2026-05-04 18:30 – Updated: 2026-05-08 17:53

Summary

Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

Details

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader

Versions Affected: before 2.5.9, before 3.0.0-M3

Description:

The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class.

Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check.

Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.

Mitigation:

2.x users should upgrade to 2.5.9.
3.x users should upgrade to 3.0.0-M3.

Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes.

Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.opennlp:opennlp-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.opennlp:opennlp-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.0.0-M3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:53:14Z",
    "nvd_published_at": "2026-05-04T17:16:24Z",
    "severity": "CRITICAL"
  },
  "details": "Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\n\n\n\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\n\n\n\nDescription:\u00a0\n\nThe ExtensionLoader.instantiateExtension(Class, String)\u00a0method loads a class by its fully-qualified name via Class.forName()\u00a0and invokes its no-arg constructor, with the class name sourced from the manifest.properties\u00a0entry of a model archive. The existing isAssignableFrom\u00a0check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory\u00a0for factory=, ArtifactSerializer\u00a0for serializer-class-*), but the check runs after\u00a0Class.forName()\u00a0has already loaded and initialized the named class. \n\nClass.forName()\u00a0with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \n\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory\u00a0or ArtifactSerializer\u00a0subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\n\n\n\n\n\nMitigation:\u00a0\n\n\n\n  *  2.x users should upgrade to 2.5.9. \n  *  3.x users should upgrade to 3.0.0-M3. \n\n\n\n\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName()\u00a0is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp.\u00a0prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.*\u00a0must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String)\u00a0before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES\u00a0system property to a comma-separated list of allowed package prefixes. \n\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins\u00a0and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.",
  "id": "GHSA-cx4m-2p55-rw7j",
  "modified": "2026-05-08T17:53:14Z",
  "published": "2026-05-04T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42027"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/opennlp"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/01/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest"
}

FKIE_CVE-2026-42027

Vulnerability from fkie_nvd - Published: 2026-05-04 17:16 - Updated: 2026-05-06 18:00

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y	Mailing List, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/05/01/20	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
apache	opennlp	*
apache	opennlp	3.0.0
apache	opennlp	3.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:opennlp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E73109B-BF5E-4832-B5DC-1747D3C42287",
              "versionEndExcluding": "2.5.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:opennlp:3.0.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "57E14048-91DB-4673-9A7B-B15675B3994A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:opennlp:3.0.0:m2:*:*:*:*:*:*",
              "matchCriteriaId": "2E738486-C0BD-4FDB-8880-DBC2BA4C0D77",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader\n\n\n\n\n\nVersions Affected: before 2.5.9, before 3.0.0-M3\n\n\n\n\n\nDescription:\u00a0\n\nThe ExtensionLoader.instantiateExtension(Class, String)\u00a0method loads a class by its fully-qualified name via Class.forName()\u00a0and invokes its no-arg constructor, with the class name sourced from the manifest.properties\u00a0entry of a model archive. The existing isAssignableFrom\u00a0check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory\u00a0for factory=, ArtifactSerializer\u00a0for serializer-class-*), but the check runs after\u00a0Class.forName()\u00a0has already loaded and initialized the named class. \n\nClass.forName()\u00a0with default initialization semantics executes the target class\u0027s static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. \n\nExploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory\u00a0or ArtifactSerializer\u00a0subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load.\n\n\n\n\n\nMitigation:\u00a0\n\n\n\n  *  2.x users should upgrade to 2.5.9. \n  *  3.x users should upgrade to 3.0.0-M3. \n\n\n\n\nNote: The fix introduces a package-prefix allowlist that is consulted before Class.forName()\u00a0is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp.\u00a0prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.*\u00a0must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String)\u00a0before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES\u00a0system property to a comma-separated list of allowed package prefixes. \n\nUsers who cannot upgrade immediately should ensure that all model files are sourced from trusted origins\u00a0and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization."
    }
  ],
  "id": "CVE-2026-42027",
  "lastModified": "2026-05-06T18:00:39.497",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-04T17:16:24.123",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/05/01/20"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-470"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42027 (GCVE-0-2026-42027)

GHSA-CX4M-2P55-RW7J

FKIE_CVE-2026-42027

Tags

Sightings

Nomenclature