Description
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite.

This issue affects Apache Calcite: from 1.5.0 before 1.42.

Users are recommended to upgrade to version 1.42, which fixes the issue.
Published: 2026-06-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unsafe reflection flaw allows a user to supply a model definition that specifies arbitrary Java classes, enabling those classes to be loaded and executed by Apache Calcite. This vulnerability, classified as CWE‑470, can compromise confidentiality, integrity, and availability by allowing execution of attacker‑chosen code within the Calcite process or any bundled services.

Affected Systems

The flaw exists in Apache Calcite versions from 1.5.0 up through 1.41.x. Versions 1.42 and newer contain the vendor‑provided fix and are not affected.

Risk and Exploitability

The CVSS score is 6.5 and the EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the ability to supply or influence a model definition that the Calcite engine processes; for applications that expose user‑controlled models without validation, exploitation can be straightforward. Because no public exploits are reported, the probability of attack is uncertain, but the potential impact remains high due to the remote code execution capability.

Generated by OpenCVE AI on June 2, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Calcite to version 1.42 or later to apply the vendor fix for the unsafe reflection flaw.
  • If an upgrade cannot be performed immediately, restrict or eliminate the ability for users to provide custom model definitions that include class names; enforce strict validation or disable dynamic class loading in the impacted modules.
  • Implement network or application‑level controls that limit which components or endpoints can submit model definitions to the Calcite engine, thereby reducing the attack surface.
  • Enable detailed logging of class‑loading events and monitor for unexpected or suspicious class names; investigate any anomalous activity promptly.

Generated by OpenCVE AI on June 2, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:calcite:*:*:*:*:*:*:*:*

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache calcite
Vendors & Products Apache
Apache calcite

Tue, 02 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 02 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.
Title Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution
Weaknesses CWE-470
References

Subscriptions

Apache Calcite
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-02T14:41:35.506Z

Reserved: 2026-05-15T23:55:08.288Z

Link: CVE-2026-46718

cve-icon Vulnrichment

Updated: 2026-06-02T09:29:32.978Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T10:16:25.377

Modified: 2026-06-03T02:04:50.883

Link: CVE-2026-46718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:45:13Z

Weaknesses