LiveActive security incident?Get immediate response
CVE Record

CVE-2026-27830: c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.

HighCVSS 8.9Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-27830 is a high-severity c3p0 flaw where unsafe deserialization in a writable configuration property can lead to unexpected code execution. Business urgency is highest for Java systems using c3p0 before 0.12.0 where attackers can influence connection pool configuration, serialized objects, or JNDI references.

Executive priority

Treat this as a priority remediation for Java estate owners, especially internet-adjacent or multi-tenant systems. The issue can become code execution, but evidence in the supplied bundle does not prove active exploitation. Upgrade planning should be prompt because no supported workaround is provided for older c3p0 versions.

Technical view

Before c3p0 0.12.0, userOverridesAsString stored a hex-encoded Java serialized Map. If an attacker can reset it directly or via crafted serialized objects or javax.naming.Reference instances, deserialization and JNDI dereferencing can execute code from the application classpath, with risk amplified by older mchange-commons-java remote factoryClassLocation behavior.

Likely exposure

Exposure is limited to applications or products using swaldman c3p0 versions below 0.12.0. Risk rises where configuration objects, JNDI references, or serialized c3p0 data can be attacker-influenced. The bundle also lists Red Hat advisories, so environments using packaged Java middleware should check vendor status.

Exploitation context

The provided bundle does not show CISA KEV listing or confirmed active exploitation. It does describe attacker-controlled serialized objects and JNDI references as viable attack conditions, and references a public research blog. Exploitation requires some ability to affect the vulnerable property or related object/reference handling.

Researcher notes

Focus triage on whether attackers can influence userOverridesAsString, serialized c3p0 objects, or javax.naming.Reference data. Confirm exact c3p0 and mchange-commons-java versions. Avoid assuming exploitability from dependency presence alone; the CVSS vector indicates adjacent access, low complexity, low privileges, and present attack requirements.

Mitigation direction

  • Upgrade c3p0 to 0.12.0 or later.
  • Ensure mchange-commons-java resolves to 0.4.0 or later.
  • Apply relevant Red Hat errata for vendor-packaged affected components.
  • Do not rely on pre-0.12.0 workarounds; sources state none are supported.
  • Review c3p0 security configuration guidance after upgrading.

Validation and detection

  • Inventory Java dependencies for c3p0 versions below 0.12.0.
  • Check dependency trees for older mchange-commons-java versions.
  • Search configuration for c3p0 ConnectionPoolDataSource usage.
  • Review JNDI exposure paths that can influence c3p0 objects.
  • Confirm patched builds no longer serialize userOverridesAsString.
  • Verify vendor advisories for Red Hat-managed packages.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-27830 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.9 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
14Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.9CVSS 4.0HighCVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HGitHub_M
8CVSS 3.1HighCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H2.15.9redhat-SADP

Vulnerability scoring details

Base CVSS 4.0 score

8.9High
CVSS 4.0 vector shape for CVE-2026-27830Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPc3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects
other:Red Hat severity ratingcvssV3_1
  • 2026-02-26T01:01:56.834Z: Reported to Red Hat.
  • 2026-02-26T00:45:18.222Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
swaldmanc3p0< 0.12.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.