CVE-2026-43825

Apache · OpenNLP Core ML LibSVM

An untrusted Java deserialization vulnerability exists in the Apache OpenNLP SvmDoccatModel component, potentially allowing arbitrary code execution.

Executive summary

A critical deserialization vulnerability in Apache OpenNLP allows unauthenticated attackers to execute arbitrary code, posing a significant risk to system integrity.

Vulnerability

This vulnerability is caused by insecure deserialization of untrusted data within the SvmDoccatModel component. The attack vector is network-based and does not require authentication or user interaction to exploit.

Business impact

Successful exploitation of this flaw can lead to unauthorized code execution, potentially resulting in full system compromise, data theft, or disruption of services. While the CVSS score of 7.3 (High) reflects a significant risk, the ability to execute arbitrary code makes this a priority for any environment utilizing OpenNLP for automated text processing.

Remediation

Immediate Action: Upgrade to version 3.0.0-M4 or the latest available stable release as specified by the Apache OpenNLP security advisory.

Proactive Monitoring: Monitor application logs for suspicious serialized objects or unexpected process spawns originating from the OpenNLP service.

Compensating Controls: Implement strict network ingress filtering to restrict access to services using OpenNLP and ensure the application runs with the least privilege necessary to limit the impact of code execution.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for remote code execution, organizations should treat this vulnerability with high urgency. Administrators must verify their current version of Apache OpenNLP and apply the necessary patches immediately to prevent potential exploitation of the deserialization flaw.