CVE-2026-42027: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Apache Software Foundation Apache OpenNLP
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.
AI Analysis
Technical Summary
The ExtensionLoader.instantiateExtension(Class, String) method in Apache OpenNLP loads classes by fully-qualified name from a model archive manifest using Class.forName(), which executes the class's static initializer before type checks occur. This allows an attacker who can supply a crafted model archive to cause static initializers of any class on the classpath to run during model loading, potentially triggering side effects such as JNDI lookups or network access. The vulnerability affects versions before 2.5.9 and before 3.0.0-M3. The official fix introduces a package-prefix allowlist that restricts which classes can be loaded, preventing execution of static initializers in disallowed classes. Users must upgrade to these fixed versions or ensure all model files come from trusted sources and audit for classes with side-effecting static initializers or constructors.
Potential Impact
An attacker able to supply a crafted model archive can cause the static initializer of any class on the classpath to execute during model loading, potentially triggering side effects such as network requests or filesystem access. This does not directly enable remote code execution without suitable classes present on the classpath, but it increases the attack surface, especially in environments where models are loaded from untrusted sources. Deployments shipping classes with side-effecting no-arg constructors or static initializers are particularly at risk.
Mitigation Recommendations
A fix is available in Apache OpenNLP versions 2.5.9 and 3.0.0-M3, which introduces a package-prefix allowlist to prevent execution of static initializers in unauthorized classes. Users should upgrade to these versions. For users unable to upgrade immediately, it is recommended to only load model files from trusted origins and audit the classpath for classes with side-effecting static initializers or constructors, especially those performing JNDI lookups, network operations, or filesystem access. Deployments that require loading classes outside the opennlp.* package must explicitly opt-in those packages using ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property.
CVE-2026-42027: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Apache Software Foundation Apache OpenNLP
Description
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ExtensionLoader.instantiateExtension(Class, String) method in Apache OpenNLP loads classes by fully-qualified name from a model archive manifest using Class.forName(), which executes the class's static initializer before type checks occur. This allows an attacker who can supply a crafted model archive to cause static initializers of any class on the classpath to run during model loading, potentially triggering side effects such as JNDI lookups or network access. The vulnerability affects versions before 2.5.9 and before 3.0.0-M3. The official fix introduces a package-prefix allowlist that restricts which classes can be loaded, preventing execution of static initializers in disallowed classes. Users must upgrade to these fixed versions or ensure all model files come from trusted sources and audit for classes with side-effecting static initializers or constructors.
Potential Impact
An attacker able to supply a crafted model archive can cause the static initializer of any class on the classpath to execute during model loading, potentially triggering side effects such as network requests or filesystem access. This does not directly enable remote code execution without suitable classes present on the classpath, but it increases the attack surface, especially in environments where models are loaded from untrusted sources. Deployments shipping classes with side-effecting no-arg constructors or static initializers are particularly at risk.
Mitigation Recommendations
A fix is available in Apache OpenNLP versions 2.5.9 and 3.0.0-M3, which introduces a package-prefix allowlist to prevent execution of static initializers in unauthorized classes. Users should upgrade to these versions. For users unable to upgrade immediately, it is recommended to only load model files from trusted origins and audit the classpath for classes with side-effecting static initializers or constructors, especially those performing JNDI lookups, network operations, or filesystem access. Deployments that require loading classes outside the opennlp.* package must explicitly opt-in those packages using ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-23T14:21:25.317Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8d216cbff5d8610397044
Added to database: 5/4/2026, 5:06:30 PM
Last enriched: 5/4/2026, 5:22:31 PM
Last updated: 5/5/2026, 5:56:37 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.