Apache Calcite security advisories
Security information for Apache Calcite
Reporting
Do you want disclose a potential security issue for Apache Calcite? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
A user-controled model can load arbitrary classes, leading to code execution
CVE-2026-46718 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-02T09:17:49.528Z
Affected
- Apache Calcite from 1.5.0 before 1.42
Description
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite.
This issue affects Apache Calcite: from 1.5.0 before 1.42.
Users are recommended to upgrade to version 1.42, which fixes the issue.
References
Credits
- pyn3rd (finder)
- uname (finder)
- 4ra1n (finder)
Apache Calcite: potential XEE attacks
CVE-2022-39135 [CVE] [CVE json] [OSV json]
Last updated: 2023-09-18T12:55:46.886Z
Affected
- Apache Calcite from Apache Calcite before 1.32.0
Description
Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE, which do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running).
From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.
References
Credits
- Apache Calcite would like to thank David Handermann for reporting this issue
Apache Calcite Avatica JDBC driver httpclient_impl connection property can be used as an RCE vector
CVE-2022-36364 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-28T08:30:13.087Z
Affected
- Apache Calcite Avatica from Apache Calcite Avatica before 1.22.0
Description
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via httpclient_impl connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution.
To exploit the vulnerability:
- the attacker needs to have privileges to control JDBC connection parameters;
- and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath.
From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.
References
Credits
- Apache Calcite Avatica would like to thank Peter M (https://twitter.com/h1pmnh) for reporting this issue