CVE-2026-27830
Received Received - Intake
Deserialization Vulnerability in c3p0 ConnectionPoolDataSource Enables RCE

Publication date: 2026-02-26

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27830
EUVD
EUVD-2026-8786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
swaldman c3p0 to 0.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade the c3p0 library to version 0.12.0 or later.'}, {'type': 'paragraph', 'content': 'Version 0.12.0 reimplements the userOverridesAsString property to use a safe CSV-based format instead of unsafe Java object deserialization, eliminating the attack surface.'}, {'type': 'paragraph', 'content': 'Additionally, ensure that the dependency mchange-commons-java is upgraded to version 0.4.0 or higher, which restricts remote factoryClassLocation usage by default and enforces name guarding to prevent injection of unexpected JNDI names.'}, {'type': 'paragraph', 'content': 'No supported workarounds exist for versions prior to 0.12.0, so upgrading is essential.'}, {'type': 'paragraph', 'content': "Review and harden your application's configuration to prevent unauthorized resets of the userOverridesAsString property."}] [1, 2]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27830 affects c3p0, a Java JDBC Connection pooling library, due to unsafe handling of the `userOverridesAsString` property in several `ConnectionPoolDataSource` implementations prior to version 0.12.0.'}, {'type': 'paragraph', 'content': "This property was stored as a hex-encoded serialized Java object, which allowed attackers who could reset this propertyβ€”either on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instancesβ€”to execute arbitrary code on the application's classpath."}, {'type': 'paragraph', 'content': "The risk is worsened by vulnerabilities in c3p0's dependency, `mchange-commons-java`, which supports early JNDI functionality with unrestricted remote `factoryClassLocation` values. Attackers could embed objects indirectly serialized through JNDI references, leading to deserialization and dereferencing of malicious `javax.naming.Reference` objects that trigger downloading and execution of malicious code from remote locations."}, {'type': 'paragraph', 'content': 'To fix this, c3p0 version 0.12.0 and later replaced the unsafe Java object deserialization with a safe CSV-based format for the `userOverridesAsString` property and depend on a secure version of `mchange-commons-java` that restricts remote code loading. There are no supported workarounds for versions prior to 0.12.0.'}] [1]

Impact Analysis

This vulnerability allows attackers to execute arbitrary code remotely on the affected system without any user interaction.

Because the vulnerability enables remote code execution via deserialization of malicious objects, it poses a high risk to system confidentiality, integrity, and availability.

An attacker exploiting this flaw could compromise the application and potentially the underlying system, leading to unauthorized access, data breaches, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying usage of vulnerable versions of the c3p0 library (prior to version 0.12.0) that handle the userOverridesAsString property as a hex-encoded serialized Java object.'}, {'type': 'paragraph', 'content': 'You can check your application dependencies or classpath for c3p0 versions below 0.12.0.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves deserialization of Java-serialized objects and JNDI references, monitoring for suspicious deserialization activity or unexpected resets of the userOverridesAsString property may help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use dependency management tools to check c3p0 version, e.g., for Maven: mvn dependency:tree | grep c3p0'}, {'type': 'list_item', 'content': 'Search for c3p0 jar files and check their versions: find /path/to/application -name "c3p0*.jar" -exec jar xf {} META-INF/MANIFEST.MF \\; -exec grep \'Implementation-Version\' META-INF/MANIFEST.MF \\;'}, {'type': 'list_item', 'content': 'Monitor logs for deserialization errors or suspicious JNDI lookups related to javax.naming.Reference objects.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual outbound connections that may indicate remote code fetching triggered by exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart