CVE-2026-27727
published 2026-02-25CVE-2026-27727: mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mchange | mchange_commons_java | < 0.4.0 | 0.4.0 |
| swaldman | mchange-commons-java | < 0.4.0 | 0.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect JNDI dereferencing attempts involving remote factoryClassLocation values in mchange-commons-java; look for applications loading remote class factories via crafted javax.naming.Reference objects ↗
- →Monitor for remote class loading triggered by mchange-commons-java's independent JNDI dereferencing implementation, which bypasses the JDK's com.sun.jndi.ldap.object.trustURLCodebase=false hardening ↗
- →Flag any application classpath containing mchange-commons-java versions prior to 0.4.0, especially when used alongside c3p0, as these are vulnerable to arbitrary remote code execution via JNDI ↗
- ·The JDK system property com.sun.jndi.ldap.object.trustURLCodebase (defaulting to false) does NOT protect against this CVE because mchange-commons-java has its own independent JNDI dereferencing implementation that ignores this JDK-level control ↗
- ·mchange-commons-java 0.4.0+ gates JNDI functionality behind configuration parameters that default to restrictive values — verify these are not overridden in application configuration ↗
- ·No known workarounds are available for versions prior to 0.4.0; the only remediation is upgrading ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.9HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
vendor_redhat·2026-02-25·CVSS 8.9
CVE-2026-27727 [HIGH] CWE-502 com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an inde
GHSA
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
ghsa·2026-02-25
CVE-2026-27727 [HIGH] CWE-502 mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
### Impact
mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code.
Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that reso
OSV
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
osv·2026-02-25
CVE-2026-27727 [HIGH] mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
### Impact
mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code.
Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that reso
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27727 com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
bugzilla·2026-02-25·CVSS 8.9
CVE-2026-27727 [HIGH] CVE-2026-27727 com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
CVE-2026-27727 com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java i
Wiz
CVE-2026-27727 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-27727 [HIGH] CVE-2026-27727 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27727 :
Java vulnerability analysis and mitigation
factoryClassLocation
jaxax.naming.Reference
false
com.sun.jndi.ldap.object.trustURLCodebase
Source : NVD
## 8.9
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Java
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
c3p0-javadoc
mchange-commons-javadoc
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Maven Severity HIGH Has Fix Added at: Mar 02, 2026
Wolfi Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascalhttps://www.mchange.com/projects/c3p0/#configuring_securityhttps://www.mchange.com/projects/c3p0/#security-notehttps://access.redhat.com/errata/RHSA-2026:14873https://access.redhat.com/errata/RHSA-2026:14874https://access.redhat.com/errata/RHSA-2026:18054https://access.redhat.com/errata/RHSA-2026:18055https://access.redhat.com/errata/RHSA-2026:18059https://access.redhat.com/errata/RHSA-2026:3890https://access.redhat.com/errata/RHSA-2026:4285https://access.redhat.com/security/cve/CVE-2026-27727https://bugzilla.redhat.com/show_bug.cgi?id=2442671https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27727.json
2026-02-25
Published