Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-04T16:43:12 Apache OpenNLP: Apache OpenNLP: Arbitrary Class Loading via Model Manifest 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CWE-502

A flaw was found in Apache OpenNLP. An attacker, by providing a specially crafted model archive, can exploit a vulnerability in the ExtensionLoader component. This allows the attacker to force the system to load and initialize any class present on the classpath, executing its static initializer. While not direct remote code execution, this could lead to unintended actions such as network communication or file system operations, depending on the classes available in the environment.

Red Hat build of Apache Camel for Spring Boot 4 Not affected opennlp-tools Red Hat Data Grid 8 Not affected opennlp-tools Red Hat Fuse 7 Will not fix opennlp-tools Red Hat JBoss Enterprise Application Platform 8 Not affected opennlp-tools Red Hat JBoss Enterprise Application Platform Expansion Pack Not affected opennlp-tools Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-trustyai-service-rhel8 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-trustyai-service-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-42027 https://nvd.nist.gov/vuln/detail/CVE-2026-42027 http://www.openwall.com/lists/oss-security/2026/05/01/20 https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y