JDBC Connection Pooling Library Vulnerability in c3p0 by MChange
CVE-2026-27830

8.9HIGH

Key Information:

Vendor

Swaldman

Status
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27830?

The c3p0 library, a popular JDBC Connection pooling solution, is susceptible to a deserialization vulnerability that allows attackers to exploit crafted Java-serialized objects and javax.naming.Reference instances. Specifically, the userOverridesAsString property, which inaccurately handled data as hex-encoded serialized objects, poses a significant risk. Attackers with access to reset this property could execute arbitrary code on the application's classpath. Although issues in the c3p0's core dependency, mchange-commons-java, amplify this threat, the weakness primarily stems from how Java-serialized objects are permitted across JNDI interfaces. The vulnerability has been addressed in versions starting 0.12.0, which now utilize a safer CSV-based property format and restrict configurations for remote class location values.

Affected Version(s)

c3p0 < 0.12.0

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.