CVE-2026-46718

CVE-2026-46718: Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution

Vendor Apache Software Foundation

Product Apache Calcite

Weakness CWE-470

Published June 2, 2026

Last update June 2, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.

Key dates

Disclosure timeline

June 2, 2026 CVE published

June 2, 2026 Record updated