CVE-2026-13500
Received Received - Intake

Code Injection in ANTLR4 Grammar Action Block

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description
A weakness has been identified in antlr ANTLR4 up to 4.13.2. Affected is an unknown function of the file tool/src/org/antlr/v4/codegen/model/OutputFile.java of the component Grammar Action Block Handler. Executing a manipulation can lead to code injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-13500
EUVD
EUVD-2026-39998

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
antlr antlr4 to 4.13.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13500 is a critical arbitrary code injection vulnerability in ANTLR4 version 4.13.2. It occurs because ANTLR4 allows embedded action blocks in grammar files (.g4) that are injected directly into generated source code without any sanitization. These action blocks can contain malicious Java code that executes during class loading, specifically in static initializers.

An attacker can submit a malicious grammar file through various means such as web uploads, pull requests, CI pipelines, or online playgrounds. When ANTLR4 processes this file, it generates Java classes that include the malicious code, which executes automatically when the class is loaded, leading to remote code execution.

Impact Analysis

This vulnerability can lead to full system compromise. An attacker exploiting it can execute arbitrary commands on the affected system, gain full filesystem access, and potentially control the entire environment where ANTLR4 is used.

Because the attack requires no special privileges and can be triggered remotely by submitting a malicious grammar file, it poses a significant risk especially in environments that process untrusted grammar files, such as online grammar playgrounds, CI/CD pipelines, or public repositories.

Detection Guidance

This vulnerability can be detected by identifying the presence and processing of malicious ANTLR4 grammar files (.g4) that contain embedded action blocks with arbitrary Java code. Monitoring for uploads or usage of untrusted .g4 files in your environment, especially in CI/CD pipelines, web uploads, or online grammar playgrounds, is critical.

Since the exploit involves processing grammar files with embedded code, detection can include scanning for .g4 files containing suspicious action blocks such as @header, @members, @init, @after, or inline {} blocks with Java code.

Commands to help detect suspicious files might include searching for these patterns in .g4 files, for example using grep:

  • grep -r -E '@header|@members|@init|@after|inline\s*\{' /path/to/grammar/files
  • grep -r 'class ' /path/to/generated/java/classes to identify generated classes that might contain injected code

Additionally, monitoring logs for unexpected class loading or static initializer execution related to ANTLR4 generated classes may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include preventing the processing of untrusted or malicious ANTLR4 grammar files that contain embedded action blocks.

Specifically, you should:

  • Avoid accepting or processing grammar files from untrusted sources, especially in automated pipelines or online playgrounds.
  • Implement or enable a safe mode (if available) that strips or rejects action blocks in grammar files before processing.
  • Use a grammar sanitizer to clean or validate grammar files to remove potentially malicious embedded code.
  • Process grammar files in isolated, restricted environments (e.g., sandboxed containers or VMs) to limit the impact of any code execution.

Since the vendor has not responded, applying these mitigations proactively is critical to reduce risk.

Compliance Impact

CVE-2026-13500 allows remote code execution through malicious grammar files in ANTLR4, potentially leading to full system compromise and unauthorized access to sensitive data.

Such unauthorized access and system compromise could result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Organizations using vulnerable versions of ANTLR4 without proper mitigation may face compliance risks due to the possibility of data breaches or unauthorized data manipulation stemming from this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart