SCA: security update for org.apache.opennlp:opennlp-tools (GHSA-cx4m-2p55-rw7j)

high Tenable Cloud Security Plugin ID 441560

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected:
before 1.9.5, before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class,
String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg
constructor, with the class name sourced from the manifest.properties entry of a model archive. The
existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension
interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs
after Class.forName() has already loaded and initialized the named class. Class.forName() with default
initialization semantics executes the target class's static initializer before returning, so an attacker
who can supply a crafted model archive can cause the static initializer of any class on the classpath to
run during model loading, regardless of whether that class passes the subsequent type check. Exploitation
requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup,
outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in
remote code execution; however, the attack surface grows as third-party model distribution becomes more
common (community model repositories, Hugging Face-style sharing), where users routinely load model files
from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate
BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious
manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users
should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix
allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed
class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that
load models referencing factories or serializers outside opennlp.* must opt those packages in, either
programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by
setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package
prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted
origins and should audit their classpath for classes with side-effecting static initializers or
constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations
during class initialization. (CVE-2026-42027)

Solution

Update the org.apache.opennlp:opennlp-tools library and its related packages to version 2.5.9 or later.

See Also

https://github.com/advisories/GHSA-cx4m-2p55-rw7j

Plugin Details

Severity: High

ID: 441560

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/8/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42027

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42027

cwe: CWE-470