Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46718

CVE-2026-46718: Apache Calcite RCE Vulnerability

CVE-2026-46718 is a remote code execution vulnerability in Apache Calcite caused by unsafe reflection. Attackers can exploit externally-controlled input to execute arbitrary code. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-46718 Overview

CVE-2026-46718 is an unsafe reflection vulnerability (CWE-470) in Apache Calcite. The flaw allows externally-controlled input to select classes or code loaded through reflection. Apache Calcite is a dynamic data management framework used for SQL parsing, query optimization, and federated query processing across many data sources.

The vulnerability affects Apache Calcite versions 1.5.0 through 1.41.x. Apache fixed the issue in version 1.42. An attacker reachable over the network can exploit the flaw without authentication or user interaction to impact confidentiality and integrity.

Critical Impact

Network-reachable attackers can influence reflective class loading in Apache Calcite, leading to unauthorized access to data and limited tampering across affected query workloads.

Affected Products

  • Apache Calcite 1.5.0 through versions prior to 1.42
  • Downstream projects embedding vulnerable Calcite releases (for example, query engines and JDBC-based analytics platforms)
  • Applications exposing Calcite SQL parsing or adapter functionality to untrusted input

Discovery Timeline

  • 2026-06-02 - CVE-2026-46718 published to the National Vulnerability Database
  • 2026-06-03 - Entry last modified in NVD

Technical Details for CVE-2026-46718

Vulnerability Analysis

Apache Calcite uses Java reflection to dynamically resolve classes, functions, and adapters at runtime. The vulnerability arises when input from an external source flows into reflective APIs that load or instantiate classes. An attacker who controls that input can direct Calcite to load classes that the application did not intend to expose.

The consequences depend on which classes are reachable through the classpath. In practice, attackers can read data through unintended type coercion, invoke methods on classes carrying sensitive logic, or alter query behavior. The flaw is reachable across the network and requires no privileges or user interaction.

Root Cause

The root cause is a violation of CWE-470: Use of Externally-Controlled Input to Select Classes or Code. Calcite trusts attacker-influenced identifiers when selecting which class or code path to load reflectively, instead of constraining selection to a vetted allow list.

Attack Vector

Exploitation requires an attacker to submit crafted input — typically through SQL text, adapter configuration, or function references — to an application that embeds Apache Calcite. When Calcite processes the input, it resolves the supplied identifier through reflection and loads the attacker-chosen class. No authentication is required if the embedding application exposes query interfaces anonymously.

No public proof-of-concept exploit is currently available. Refer to the Apache mailing list thread and the OpenWall OSS Security discussion for vendor-supplied technical context.

Detection Methods for CVE-2026-46718

Indicators of Compromise

  • Unexpected class loading events from Apache Calcite runtime, particularly involving fully qualified class names supplied through SQL text or adapter parameters
  • Outbound network connections from JVM processes hosting Calcite to unfamiliar destinations following query execution
  • Errors or stack traces referencing ClassNotFoundException or InvocationTargetException originating from Calcite reflection paths

Detection Strategies

  • Inventory all applications and dependencies that bundle Apache Calcite and identify versions between 1.5.0 and 1.41.x using software composition analysis
  • Inspect query logs for SQL or adapter inputs containing fully qualified Java class names or unusual function references
  • Enable JVM class loading verbose logging on Calcite hosts to surface reflective loads of non-Calcite classes during query processing

Monitoring Recommendations

  • Forward JVM, application, and query logs from Calcite-embedding services to a centralized analytics platform for correlation
  • Alert on first-seen class loads in production Calcite workloads and on process behavior deviating from established query baselines
  • Track egress traffic from analytics and query services for anomalies that follow user-submitted queries

How to Mitigate CVE-2026-46718

Immediate Actions Required

  • Upgrade Apache Calcite to version 1.42 or later in all directly and transitively dependent applications
  • Audit downstream products that embed Calcite and apply vendor patches as they become available
  • Restrict network exposure of services that accept untrusted SQL or adapter input until patching is complete

Patch Information

Apache released Apache Calcite 1.42 to remediate CVE-2026-46718. Users on any release from 1.5.0 through 1.41.x should upgrade. Review the Apache mailing list announcement for upgrade notes and behavioral changes.

Workarounds

  • Validate and constrain user-supplied identifiers before they reach Calcite parsing or adapter configuration
  • Run Calcite-embedding services with least-privilege classpaths that exclude sensitive or dangerous classes
  • Enforce authentication and authorization on any interface that forwards input into Calcite query processing
bash
# Example: pin Apache Calcite to the fixed version in a Maven build
mvn versions:set-property -Dproperty=calcite.version -DnewVersion=1.42
mvn versions:use-dep-version -Dincludes=org.apache.calcite:calcite-core -DdepVersion=1.42 -DforceVersion=true
mvn dependency:tree | grep calcite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne