Deserialization Vulnerability in c3p0 JDBC Connection Pooling Library
CVE-2026-55223

6.3MEDIUM

Key Information:

Vendor

Swaldman

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-55223?

The c3p0 JDBC Connection pooling library is susceptible to a deserialization vulnerability when used in conjunction with other libraries. This vulnerability arises from the treatment of DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() as properties, which can be exploited by attackers to craft malicious DataSource objects. These objects can invoke vulnerable JDBC drivers during deserialization, leading to potential security breaches. The issue has been resolved in version 0.14.0, and it is crucial for users to upgrade to this version to mitigate the risk.

Affected Version(s)

c3p0 < 0.14.0

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.