CVE-2026-55153
Received Received - Intake

JNDI Injection in mchange-commons-java via JavaBeanObjectFactory

Vulnerability report for CVE-2026-55153, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

mchange-commons-java is a Java library of shared utility classes used by mchange projects like the c3p0 connection pool. Prior to version 0.6.0, its JNDI ObjectFactory implementation (com.mchange.v2.naming.JavaBeanObjectFactory) will construct objects of arbitrary classes and initialize "JavaBean"-style properties, which for certain classes enables JNDI injection and "deserialization gadgets." Such initialization is unsafe for some classes: for example, setting the contentType property of a Swing JEditorPane to text/html and its text property to HTML containing a stylesheet <link> will provoke an HTTP GET on an arbitrary URL, potentially from within a trusted security domain. The problem is aggravated by the library's ReferenceIndirector, through which malicious JNDI Reference objects can be smuggled in for dereferencing wherever an application reads a Java-serialized object. This has been resolved in version 0.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mchange commons-java to 0.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the mchange-commons-java library, specifically in its JNDI ObjectFactory implementation (com.mchange.v2.naming.JavaBeanObjectFactory) prior to version 0.6.0. This implementation constructs objects of arbitrary classes and initializes JavaBean-style properties in an unsafe manner. For certain classes, this enables JNDI injection and the use of deserialization gadgets.

For example, setting the contentType property of a Swing JEditorPane to text/html and its text property to HTML containing a stylesheet link can cause the application to perform an HTTP GET request to an arbitrary URL, potentially within a trusted security domain. Additionally, the ReferenceIndirector component allows malicious JNDI Reference objects to be smuggled and dereferenced when an application reads a Java-serialized object.

This unsafe initialization and dereferencing behavior can lead to exploitation through JNDI injection and deserialization attacks.

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote code execution or data access. Because the vulnerable code can cause HTTP requests to arbitrary URLs within trusted security domains, attackers may exploit this to perform actions on behalf of the application or access sensitive internal resources.

The vulnerability also allows malicious JNDI Reference objects to be injected and dereferenced, which can lead to deserialization attacks, potentially compromising confidentiality, integrity, and availability of the affected system.

The CVSS v3.1 base score of 7.1 reflects a high severity with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the mchange-commons-java library to version 0.6.0 or later, where the unsafe JNDI ObjectFactory implementation has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart