CVE-2026-46718 PUBLISHED

Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution

Assigner: apache
Reserved: 15.05.2026 Published: 02.06.2026 Updated: 02.06.2026

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite.

This issue affects Apache Calcite: from 1.5.0 before 1.42.

Users are recommended to upgrade to version 1.42, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Calcite
Versions Default: unaffected
  • affected from 1.5.0 to 1.42 (excl.)

Credits

  • pyn3rd finder
  • uname finder
  • 4ra1n finder

References

Problem Types

  • CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE