Arbitrary Class Instantiation Vulnerability in Apache OpenNLP by Apache
CVE-2026-42027

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Opennlp
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42027?

The vulnerability in Apache OpenNLP's ExtensionLoader occurs during the instantiation of classes via the manifest.properties entry in model archives. When the method ExtensionLoader.instantiateExtension(Class, String) invokes Class.forName() to load a class, it bypasses an important type-check. As a result, an attacker can craft a malicious model archive that prompts the execution of classes with harmful static initializers on the classpath, potentially enabling JNDI lookups, network access, or filesystem manipulations. This presents a notable risk, especially in environments where users frequently load models from untrusted third-party sources. To mitigate this risk, users are advised to upgrade to the latest versions and ensure all model files originate from trusted sources, while also auditing for classes with detrimental side effects in their initializers.

Affected Version(s)

Apache OpenNLP 0 < 2.5.9

Apache OpenNLP 3.0 < 3.0.0-M3

References

https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Subramanian S

CVE-2026-42027 Data

JSON