UBUNTU-CVE-2026-40682

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-40682
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40682
Upstream
  • CVE-2026-40682
Published
2026-05-04T17:16:00Z
Modified
2026-05-20T16:25:40.475576626Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support — external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURESECUREPROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.

References

Affected packages

Ubuntu:20.04:LTS / apache-opennlp

Package

Name
apache-opennlp
Purl
pkg:deb/ubuntu/apache-opennlp?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.9.1-2
1.9.2-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.9.2-1",
            "binary_name": "libapache-opennlp-java"
        },
        {
            "binary_version": "1.9.2-1",
            "binary_name": "opennlp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json"

Ubuntu:22.04:LTS / apache-opennlp

Package

Name
apache-opennlp
Purl
pkg:deb/ubuntu/apache-opennlp?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.9.3-1
1.9.4-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.9.4-1",
            "binary_name": "libapache-opennlp-java"
        },
        {
            "binary_version": "1.9.4-1",
            "binary_name": "opennlp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json"

Ubuntu:24.04:LTS / apache-opennlp

Package

Name
apache-opennlp
Purl
pkg:deb/ubuntu/apache-opennlp?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.0-1
2.3.1-1
2.3.1-2
2.3.2-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.3.2-1",
            "binary_name": "libapache-opennlp-java"
        },
        {
            "binary_version": "2.3.2-1",
            "binary_name": "opennlp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json"

Ubuntu:25.10 / apache-opennlp

Package

Name
apache-opennlp
Purl
pkg:deb/ubuntu/apache-opennlp?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.5.3-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.5.3-1",
            "binary_name": "libapache-opennlp-java"
        },
        {
            "binary_version": "2.5.3-1",
            "binary_name": "opennlp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json"

Ubuntu:26.04:LTS / apache-opennlp

Package

Name
apache-opennlp
Purl
pkg:deb/ubuntu/apache-opennlp?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.5.3-1
2.5.3-1build1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.5.3-1build1",
            "binary_name": "libapache-opennlp-java"
        },
        {
            "binary_version": "2.5.3-1build1",
            "binary_name": "opennlp"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40682.json"