c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map>. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing ConnectionPoolDataSource or via maliciously crafted serialized objects or javax.naming.Reference instances could be tailored execute unexpected code on the application's CLASSPATH. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote factoryClassLocation values. Attackers could set c3p0's userOverridesAsString hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded javax.naming.Reference objects could provoke download and execution of malicious code from a remote factoryClassLocation. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The userOverridesAsString property of c3p0 ConnectionPoolDataSource classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote factoryClassLocation values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java com.mchange.v2.naming.nameGuardClassName to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.
CVE-2026-27830
This high-severity CVE scores 8.9 under the CNA's CVSS v4.0 (NVD's own analysis pending). EPSS exploit probability: 0.3%, top 45% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 8.0
- EG Score
- 8.9(medium)
- EPSS
- 41.5%
- KEV
- Not listed
Published
February 26, 2026
Last Modified
July 15, 2026
Advisory Details (10)
Auto-updated Jun 30, 2026Affected: Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common
https://access.redhat.com/errata/RHSA-2026:18059Affected: Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common
https://access.redhat.com/errata/RHSA-2026:18055Affected: Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common
https://access.redhat.com/errata/RHSA-2026:18054c3p0-v0.14.1 - JDBC3 Connection and Statement Pooling - Documentation
https://www.mchange.com/projects/c3p0/#security-notec3p0-v0.14.1 - JDBC3 Connection and Statement Pooling - Documentation
https://www.mchange.com/projects/c3p0/#configuring_securityc3p0, you little rascal | MOGWAI LABS
https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascalc3p0 prior to v0.12.0 can be dangerously abused to download and execute malicious code · Advisory · swaldman/c3p0 · GitHub
https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcvcommit e14cbd8166e4 (swaldman/c3p0)
Fix landed in swaldman/c3p0 commit e14cbd8166e4 — awaiting tagged release
https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6eVendor Advisories for CVE-2026-27830(6)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:28385Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.18.6 Async Update
- RHSA-2026:18054Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.6 security update
- RHSA-2026:18055Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.6 security update
- RHSA-2026:18059Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.6 security update
- RHSA-2026:4285Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat build of Debezium 3.2.7 release
- RHSA-2026:3890Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.4 for Spring Boot release.
Patch Availability(4)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | eap8-hibernate-0:6.6.48-1.Final_redhat_00001.1.el9eap | 2026-05-18 | redhat |
| redhat | org.hibernate.orm/hibernate-c3p0 | 2026-05-18 | redhat |
| redhat | eap8-hibernate-0:6.6.48-1.Final_redhat_00001.1.el8eap | 2026-05-18 | redhat |
| redhat | com.mchange/c3p0 | 2026-03-11 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| com.mchange:c3p0 | 0.10.0 ... 0.9.5.5 (40 versions) | 0.12.0 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 11× in last 7d / 50× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 118 total refreshes for this CVE.
- 2026-07-16 17:03 UTCEPSS rescore
- 2026-07-16 17:03 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
Show 75 moreShow fewer
- 2026-06-30 04:31 UTCNVD updateCVSS v3 → 8 · severity → HIGH
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 09:32 UTCOSV refresh
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:48 UTCEPSS rescore
- 2026-06-14 23:18 UTCEPSS rescore
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 01:42 UTCEG score recompute
- 2026-06-12 01:42 UTCVendor advisory
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 21:30 UTCEG score recompute
- 2026-06-10 21:30 UTCVendor advisory
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 08:44 UTCEG score recompute
- 2026-06-10 08:44 UTCVendor advisory
- 2026-06-09 18:20 UTCEG score recompute
- 2026-06-09 18:20 UTCVendor advisory
- 2026-06-08 15:05 UTCEG score recompute▲ 8.90
- 2026-06-08 15:05 UTCVendor advisory
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-07 16:27 UTCVendor advisory
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-02 20:13 UTCEPSS rescore
- 2026-06-02 20:13 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 12:13 UTCOSV refresh
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-502 · CWE-94
Frequently asked(5)
What is CVE-2026-27830?
When was CVE-2026-27830 disclosed?
Is CVE-2026-27830 actively exploited?
What is the CVSS score of CVE-2026-27830?
How do I remediate CVE-2026-27830?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-27830
Is Your Infrastructure Affected by CVE-2026-27830?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.