PatchSiren cyber security CVE debrief

CVE-2026-40682 Apache Software Foundation CVE debrief

CVE-2026-40682 is a critical vulnerability in Apache OpenNLP's DictionaryEntryPersistor class. The class initializes a static SAXParserFactory without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing, allowing for XML External Entity (XXE) attacks via crafted dictionary files. This vulnerability affects versions before 2.5.9 and before 3.0.0-M3. An attacker can exploit this vulnerability to trigger local file disclosure or server-side request forgery. The vulnerability has a CVSS score of 9.1 and is considered critical.

Vendor: Apache Software Foundation
Product: Apache OpenNLP
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-04
Original CVE updated: 2026-06-29
Advisory published: 2026-05-04
Advisory updated: 2026-06-29

Who should care

Users of Apache OpenNLP, especially those who use the Dictionary(InputStream) constructor to load user-supplied dictionaries, should be aware of this vulnerability. This includes developers and administrators who use OpenNLP in their applications. Immediate action is recommended to mitigate the risk of XXE attacks.

Technical summary

The DictionaryEntryPersistor class in Apache OpenNLP initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support, leaving external entity resolution and DOCTYPE declarations fully enabled. This allows an attacker to supply a crafted dictionary file containing a malicious DOCTYPE declaration, triggering local file disclosure or server-side request forgery during SAX parsing.

Defensive priority

High priority should be given to upgrading to version 2.5.9 or 3.0.0-M3. In the meantime, users should ensure that all dictionary files are sourced from trusted origins and consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration.

Recommended defensive actions

Upgrade to Apache OpenNLP version 2.5.9 or 3.0.0-M3.
Ensure all dictionary files are sourced from trusted origins.
Consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration.
Monitor and restrict incoming dictionary files for suspicious or malicious content.
Implement additional security measures, such as using a web application firewall (WAF) to detect and prevent XXE attacks.

Evidence notes

The CVE-2026-40682 vulnerability was published on May 4, 2026, and modified on June 29, 2026. The vulnerability affects Apache OpenNLP versions before 2.5.9 and before 3.0.0-M3. The CVSS score is 9.1, indicating a critical vulnerability. The vulnerability allows for XXE attacks via crafted dictionary files.

Official resources

CVE-2026-40682 CVE record
CVE.org
CVE-2026-40682 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory

This article is AI-assisted and based on the supplied source corpus.