This is not really a big issue, because most setups use a "good" context classloader. The context classloader is required by the Java ServiceProvider standard to look for META-INF classes. To work around issues in some setups, the analysis and codec SPIs also scan our own classloader, if it is not a parent of the context one. This check requires permissions, if we are not a parent.
This will fix the parent check to simply return false (and enforce classpath rescan) if we don't have enough permissions. This is the right thing to do, because if we have no permissions, we are also not a parent!