CVE-2026-6501: jOpenDocument XXE Vulnerability

CVE-2026-6501 Overview

CVE-2026-6501 is an XML External Entity (XXE) vulnerability affecting ILM Informatique jOpenDocument version 1.5. The flaw stems from improper restriction of XML external entity references during document parsing [CWE-611]. Authenticated attackers can submit crafted OpenDocument files that trigger external entity resolution. This enables a Data Serialization External Entities Blowup condition against applications relying on jOpenDocument for ODF processing.

The vulnerability carries a CVSS 4.0 score of 5.3 and currently has no public exploit code or vendor patch advisory linked in the National Vulnerability Database (NVD) entry.

Critical Impact

Authenticated attackers can abuse XML parsing in jOpenDocument 1.5 to read confidential data or exhaust resources through entity expansion against applications that ingest untrusted ODF documents.

Affected Products

• ILM Informatique jOpenDocument 1.5
• Java applications embedding the jOpenDocument library for OpenDocument Format (ODF) parsing
• Server-side document processing pipelines that accept user-supplied .odt, .ods, or .odp files

Discovery Timeline

• 2026-05-04 - CVE-2026-6501 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-6501

Vulnerability Analysis

The vulnerability resides in the XML parsing logic of jOpenDocument 1.5. OpenDocument Format files are ZIP archives containing XML components such as content.xml, styles.xml, and meta.xml. When jOpenDocument parses these XML streams, the underlying parser does not disable external entity resolution. An attacker who can supply or upload an ODF document to a vulnerable application controls the document type definition (DTD) referenced by the XML payload.

The attacker embeds a malicious DOCTYPE declaration with external entities pointing at local files or remote URLs. When the parser dereferences these entities, it returns file contents into the parsed document or issues outbound network requests. The Data Serialization External Entities Blowup variant additionally permits recursive entity expansion that consumes memory and CPU resources, producing a denial of service condition on the host JVM.

Root Cause

The root cause is a missing hardening configuration on the Java XML parser used by jOpenDocument. Secure parsing requires setting features such as http://apache.org/xml/features/disallow-doctype-decl to true and disabling external-general-entities and external-parameter-entities. Without these flags, the parser obeys [CWE-611] semantics and resolves external resources referenced inside the DOCTYPE.

Attack Vector

Exploitation requires network access and low-privilege authentication, with no user interaction. An attacker uploads a crafted ODF file to an application backed by jOpenDocument 1.5. The malicious file contains an XML payload such as a DOCTYPE referencing file:///etc/passwd through an entity, or a nested entity definition that triggers exponential expansion. The parser resolves the entity during document load, leaking file contents back to the attacker through error messages, document fields, or out-of-band channels, or exhausting memory.

No verified public exploit code is currently available. See the JOpenDocument Documentation for details on the parsing components involved.

Detection Methods for CVE-2026-6501

Indicators of Compromise

• Inbound ODF files containing <!DOCTYPE declarations or <!ENTITY definitions inside content.xml or styles.xml
• Unexpected outbound HTTP, FTP, or DNS traffic from JVM processes that parse user-uploaded documents
• Java stack traces referencing org.jopendocument.dom accompanied by SAXParseException entries tied to entity resolution
• Sudden memory pressure or OutOfMemoryError events in services that ingest ODF files

Detection Strategies

• Inspect uploaded ODF archives by extracting embedded XML and flagging any DOCTYPE or ENTITY tokens before passing files to jOpenDocument
• Correlate document upload events with subsequent outbound connections from the application server within a short time window
• Apply YARA or signature rules across object storage and mail gateways to identify ODF payloads referencing external entities

Monitoring Recommendations

• Log all calls into jOpenDocument parsing methods and capture the source identity of submitted documents
• Monitor egress firewall rules for connections originating from document processing workloads to non-approved destinations
• Track JVM heap and CPU metrics on services using jOpenDocument to detect entity expansion denial of service patterns

How to Mitigate CVE-2026-6501

Immediate Actions Required

• Inventory all Java applications and services bundling jOpenDocument 1.5 and isolate any that accept untrusted document uploads
• Restrict ODF upload endpoints to authenticated, trusted users until mitigations are deployed
• Block outbound network access from servers that parse user-supplied documents to limit data exfiltration paths

Patch Information

No vendor patch is referenced in the NVD entry for CVE-2026-6501 at the time of publication. Monitor the JOpenDocument Documentation for upstream updates. Until an official fix is released, apply the workarounds below to harden XML parsing.

Workarounds

• Wrap jOpenDocument calls with a hardened DocumentBuilderFactory or SAXParserFactory that disables DOCTYPE declarations and external entities
• Pre-process incoming ODF archives and reject any whose embedded XML contains <!DOCTYPE or <!ENTITY directives
• Run document parsing workloads inside sandboxed containers with no filesystem access beyond the document working directory and no outbound network routes
• Enforce file size and parsing time limits to contain entity expansion attacks

# Java system properties to harden XML parsing for jOpenDocument hosts
# Add to JVM startup arguments
-Djavax.xml.accessExternalDTD=""
-Djavax.xml.accessExternalSchema=""
-Djdk.xml.entityExpansionLimit=0
-Djdk.xml.maxGeneralEntitySizeLimit=0
-Djdk.xml.totalEntitySizeLimit=50000