PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43825 Apache Software Foundation CVE debrief

CVE-2026-43825 is a high-severity vulnerability in Apache OpenNLP's SvmDoccatModel, which allows for remote code execution via untrusted Java deserialization. The vulnerability affects versions before 3.0.0-M4 and is caused by the deserialize() method reading an attacker-controlled stream with java.io.ObjectInputStream and calling readObject() without an ObjectInputFilter installed. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins.

Vendor
Apache Software Foundation
Product
Apache OpenNLP :: Core :: ML :: LibSVM
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache OpenNLP, particularly those who use the libsvm module, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.0.0-M4 or later, and treating all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified. Operators of systems that use Apache OpenNLP should review their deployments and ensure that they are not exposed to untrusted input.

Technical summary

The vulnerability is caused by the SvmDoccatModel.deserialize() method reading an attacker-controlled stream with java.io.ObjectInputStream and calling readObject() without an ObjectInputFilter installed. This allows for remote code execution via untrusted Java deserialization. The method is public and static, so any caller can pass an untrusted stream to it directly. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Apache OpenNLP version 3.0.0-M4 or later
  • Treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified
  • Avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The vulnerability was reported by an unknown source and is described in the CVE record. The NVD entry is currently Analyzed. There is no information on whether the vulnerability is being actively exploited. The Apache OpenNLP project has released a fix for this vulnerability in version 3.0.0-M4. Users should verify the provenance of any serialized SvmDoccatModel streams before deserializing them.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T17:16:31.570Z and has not been modified since then. The NVD entry is currently Analyzed.