CVE-2026-42027

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3

Description The ExtensionLoader.instantiateExtension(Class, String) function loads a class by its fully-qualified name using Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. Because Class.forName() executes the target class's static initializer before the isAssignableFrom type check occurs, an attacker providing a crafted model archive can trigger the static initializer of any class on the classpath. This can lead to arbitrary class instantiation if classes with side effects in their static initializers (such as JNDI lookups, outbound network I/O, or filesystem access) are present. Additionally, a narrower vector exists where a malicious manifest can force the execution of no-arg constructors for legitimate BaseToolFactory or ArtifactSerializer subclasses that have side-effecting constructors.

Recommendations Upgrade to version 2.5.9 for 2.x users. Upgrade to version 3.0.0-M3 for 3.x users. Ensure all model files are sourced from trusted origins. Audit the classpath for classes with side-effecting static initializers or constructors, specifically those performing JNDI lookups, network requests, or filesystem operations during initialization.