[jira] [Updated] (CALCITE-7532) A user-controled model can load arbitrary classes, leading to code execution (CVE-2026-46718)

Sun, 31 May 2026 19:56:12 -0700 


     [ 
https://issues.apache.org/jira/browse/CALCITE-7532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julian Hyde updated CALCITE-7532:
---------------------------------
    Description: 
Apache Calcite allows users to define a schema model via the JDBC connection 
URL using the {{model=inline:{...}}} parameter. Within this inline model, it is 
possible to register arbitrary Java static methods as custom SQL functions by 
specifying a {{className}} and {{methodName}} in the schema's {{functions}} 
array.

An attacker who can influence the JDBC connection URL (or the model JSON) can 
register any publicly accessible Java method — including methods from dangerous 
classes such as:
* {{org.codehaus.groovy.runtime.InvokerHelper#invokeMethod}} (RCE directly)
* {{javax.naming.InitialContext.doLookup}} (JNDI RCE such as log4j2)
* {{java.lang.System.getProperty/setProperty}} (JVM information leakage etc.)

Once registered, these methods can be invoked directly through SQL queries, 
resulting in arbitrary operating system command execution on the server hosting 
the Calcite JDBC driver.

This vulnerability requires NO authentication and NO special privileges beyond 
the ability to supply a JDBC URL or model configuration string.

> A user-controled model can load arbitrary classes, leading to code execution 
> (CVE-2026-46718)
> ---------------------------------------------------------------------------------------------
>
>                 Key: CALCITE-7532
>                 URL: https://issues.apache.org/jira/browse/CALCITE-7532
>             Project: Calcite
>          Issue Type: Bug
>            Reporter: Julian Hyde
>            Assignee: Julian Hyde
>            Priority: Major
>             Fix For: 1.42.0
>
>
> Apache Calcite allows users to define a schema model via the JDBC connection 
> URL using the {{model=inline:{...}}} parameter. Within this inline model, it 
> is possible to register arbitrary Java static methods as custom SQL functions 
> by specifying a {{className}} and {{methodName}} in the schema's 
> {{functions}} array.
> An attacker who can influence the JDBC connection URL (or the model JSON) can 
> register any publicly accessible Java method — including methods from 
> dangerous classes such as:
> * {{org.codehaus.groovy.runtime.InvokerHelper#invokeMethod}} (RCE directly)
> * {{javax.naming.InitialContext.doLookup}} (JNDI RCE such as log4j2)
> * {{java.lang.System.getProperty/setProperty}} (JVM information leakage etc.)
> Once registered, these methods can be invoked directly through SQL queries, 
> resulting in arbitrary operating system command execution on the server 
> hosting the Calcite JDBC driver.
> This vulnerability requires NO authentication and NO special privileges 
> beyond the ability to supply a JDBC URL or model configuration string.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to