Untrusted Java Deserialization Vulnerability in Apache OpenNLP
CVE-2026-43825

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43825?

The deserialization method in Apache OpenNLP's SvmDoccatModel allows for untrusted input streams, potentially leading to remote code execution. By using Java's ObjectInputStream without an ObjectInputFilter, an attacker can exploit this vulnerability if they can control the input stream. When deserializing, all classes referenced in the stream are instantiated before the resulting object is cast to SvmDoccatModel. This means that if a malicious Java deserialization chain exists in the classpath of the application using this model, it could lead to arbitrary code execution, exposing downstream applications to serious risks. Users are strongly advised to upgrade to the latest version or treat any serialized streams as untrusted unless their source is verified.

Affected Version(s)

Apache OpenNLP :: Core :: ML :: LibSVM 3.0.0-M1 < 3.0.0-M4

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Subramanian S
.