CVE-2026-27830: c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
Security readout for executives and security teams
Plain-English summary
CVE-2026-27830 is a high-severity c3p0 flaw where unsafe deserialization in a writable configuration property can lead to unexpected code execution. Business urgency is highest for Java systems using c3p0 before 0.12.0 where attackers can influence connection pool configuration, serialized objects, or JNDI references.
Executive priority
Treat this as a priority remediation for Java estate owners, especially internet-adjacent or multi-tenant systems. The issue can become code execution, but evidence in the supplied bundle does not prove active exploitation. Upgrade planning should be prompt because no supported workaround is provided for older c3p0 versions.
Technical view
Before c3p0 0.12.0, userOverridesAsString stored a hex-encoded Java serialized Map. If an attacker can reset it directly or via crafted serialized objects or javax.naming.Reference instances, deserialization and JNDI dereferencing can execute code from the application classpath, with risk amplified by older mchange-commons-java remote factoryClassLocation behavior.
Likely exposure
Exposure is limited to applications or products using swaldman c3p0 versions below 0.12.0. Risk rises where configuration objects, JNDI references, or serialized c3p0 data can be attacker-influenced. The bundle also lists Red Hat advisories, so environments using packaged Java middleware should check vendor status.
Exploitation context
The provided bundle does not show CISA KEV listing or confirmed active exploitation. It does describe attacker-controlled serialized objects and JNDI references as viable attack conditions, and references a public research blog. Exploitation requires some ability to affect the vulnerable property or related object/reference handling.
Researcher notes
Focus triage on whether attackers can influence userOverridesAsString, serialized c3p0 objects, or javax.naming.Reference data. Confirm exact c3p0 and mchange-commons-java versions. Avoid assuming exploitability from dependency presence alone; the CVSS vector indicates adjacent access, low complexity, low privileges, and present attack requirements.
Mitigation direction
Upgrade c3p0 to 0.12.0 or later.
Ensure mchange-commons-java resolves to 0.4.0 or later.
Apply relevant Red Hat errata for vendor-packaged affected components.
Do not rely on pre-0.12.0 workarounds; sources state none are supported.
Review c3p0 security configuration guidance after upgrading.
Validation and detection
Inventory Java dependencies for c3p0 versions below 0.12.0.
Check dependency trees for older mchange-commons-java versions.
Search configuration for c3p0 ConnectionPoolDataSource usage.
Review JNDI exposure paths that can influence c3p0 objects.
Confirm patched builds no longer serialize userOverridesAsString.
Verify vendor advisories for Red Hat-managed packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
2ADP providers
14Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.