Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Apache Commons C3P0 allows attackers to run code remotely
CVE-2026-27830
GHSA-5476-xc4j-rqcv
Summary
Apache Commons C3P0, a connection pooling library, contains a security flaw that allows an attacker to run malicious code on your server if they can manipulate a specific configuration setting. This could happen if an attacker is able to reset this setting or if they can trick the library into loading code from a remote location. To protect your server, update to a version of C3P0 that fixes this issue or avoid using the `userOverridesAsString` property if possible.
What to do
- Update mchange com.mchange:c3p0 to version 0.12.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mchange | com.mchange:c3p0 | <= 0.12.0 | 0.12.0 |
Original title
c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
Original description
### Impact
c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`.
The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`.
Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility.
### Patches
The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization.
c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. Those parameters are documented [here](https://www.mchange.com/projects/c3p0/#configuring_security).
c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names.
### Workarounds
Users should upgrade to c3p0-0.12.0 or above. There is no supported workaround for earlier versions of c3p0.
### References
[c3p0, you little rascal — Hans-Martin Münch](https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal/)
[c3p0 documentation, security note](https://www.mchange.com/projects/c3p0/#security-note)
[c3p0 documentation, configuring security](https://www.mchange.com/projects/c3p0/#configuring_security)
c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`.
The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`.
Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility.
### Patches
The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization.
c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. Those parameters are documented [here](https://www.mchange.com/projects/c3p0/#configuring_security).
c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names.
### Workarounds
Users should upgrade to c3p0-0.12.0 or above. There is no supported workaround for earlier versions of c3p0.
### References
[c3p0, you little rascal — Hans-Martin Münch](https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal/)
[c3p0 documentation, security note](https://www.mchange.com/projects/c3p0/#security-note)
[c3p0 documentation, configuring security](https://www.mchange.com/projects/c3p0/#configuring_security)
nvd CVSS4.0
8.9
Vulnerability type
CWE-94
Code Injection
CWE-502
Deserialization of Untrusted Data
- https://nvd.nist.gov/vuln/detail/CVE-2026-27830
- https://github.com/advisories/GHSA-5476-xc4j-rqcv
- https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e
- https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv
- https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal
- https://www.mchange.com/projects/c3p0/#configuring_security
- https://www.mchange.com/projects/c3p0/#security-note
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026