CVE-2026-42027 Apache Software Foundation CVE debrief

Who should care

Users of Apache OpenNLP, especially those who load models from untrusted origins, should be aware of this vulnerability. Deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors are also affected. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and audit their classpath for classes with side-effecting static initializers or constructors.

Technical summary

The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface, but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, allowing an attacker to cause the static initializer of any class on the classpath to run during model loading.

Defensive priority

This vulnerability has a CVSS score of 9.8 and is considered critical. Users should prioritize upgrading to a fixed version or implementing mitigations to prevent exploitation.

Recommended defensive actions

• Upgrade to version 2.5.9 for 2.x users
• Upgrade to version 3.0.0-M3 for 3.x users
• Ensure that all model files are sourced from trusted origins
• Audit classpath for classes with side-effecting static initializers or constructors
• Implement a package-prefix allowlist to restrict allowed classes

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and potential mitigations. The Apache OpenNLP project has released advisories and patches to address this vulnerability.

Official resources