cbcvebase.
CVE-2026-27727
published 2026-02-25

CVE-2026-27727: mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

Affected

2 ranges
VendorProductVersion rangeFixed in
mchangemchange_commons_java< 0.4.00.4.0
swaldmanmchange-commons-java< 0.4.00.4.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect JNDI dereferencing attempts involving remote factoryClassLocation values in mchange-commons-java; look for applications loading remote class factories via crafted javax.naming.Reference objects
  • Monitor for remote class loading triggered by mchange-commons-java's independent JNDI dereferencing implementation, which bypasses the JDK's com.sun.jndi.ldap.object.trustURLCodebase=false hardening
  • Flag any application classpath containing mchange-commons-java versions prior to 0.4.0, especially when used alongside c3p0, as these are vulnerable to arbitrary remote code execution via JNDI
  • ·The JDK system property com.sun.jndi.ldap.object.trustURLCodebase (defaulting to false) does NOT protect against this CVE because mchange-commons-java has its own independent JNDI dereferencing implementation that ignores this JDK-level control
  • ·mchange-commons-java 0.4.0+ gates JNDI functionality behind configuration parameters that default to restrictive values — verify these are not overridden in application configuration
  • ·No known workarounds are available for versions prior to 0.4.0; the only remediation is upgrading

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.9HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.