JNDI Injection and Deserialization Vulnerability in MChange Commons Java Library
CVE-2026-55153

7.1HIGH

Key Information:

Vendor

Swaldman

Vendor
CVE Published:
1 July 2026

What is CVE-2026-55153?

The MChange Commons Java library, used widely for shared utility classes in Java applications, exposes a serious vulnerability in its JNDI ObjectFactory implementation prior to version 0.6.0. This flaw allows the library to construct objects from arbitrary classes and initialize properties in a manner that can lead to potential JNDI injection and exploitation through deserialization gadgets. For instance, the improper initialization of properties like contentType in a Swing JEditorPane can trigger HTTP GET requests to malicious URLs from trusted domains. This risk is further amplified by the library's ReferenceIndirector, enabling the injection of malicious JNDI Reference objects during the deserialization process. Users are advised to update to version 0.6.0 or later to mitigate these risks.

Affected Version(s)

mchange-commons-java < 0.6.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.