{
  "threat_severity" : "Important",
  "public_date" : "2026-02-26T00:45:18Z",
  "bugzilla" : {
    "description" : "c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects",
    "id" : "2442908",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442908"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects \"indirectly serialized\" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.", "A flaw was found in c3p0, a Java Database Connectivity (JDBC) Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or `javax.naming.Reference` instances. By manipulating the `userOverridesAsString` property, an attacker can cause the application to download and execute malicious code from a remote location on its CLASSPATH." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4.14.4 for Spring Boot 3.5.11",
    "release_date" : "2026-03-05T00:00:00Z",
    "advisory" : "RHSA-2026:3890",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.14",
    "package" : "com.mchange/c3p0"
  }, {
    "product_name" : "Red Hat Build of Debezium 3.2",
    "release_date" : "2026-03-11T00:00:00Z",
    "advisory" : "RHSA-2026:4285",
    "cpe" : "cpe:/a:redhat:debezium:3",
    "package" : "com.mchange/c3p0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Not affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Affected",
    "package_name" : "org.hibernate.orm/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Affected",
    "package_name" : "org.hibernate.orm/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "c3p0/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "org.hibernate/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Affected",
    "package_name" : "c3p0/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "io.opentelemetry.instrumentation/opentelemetry-c3p0-0.9",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "io.opentelemetry.javaagent.instrumentation/opentelemetry-javaagent-c3p0-0.9",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Will not fix",
    "package_name" : "org.hibernate/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Affected",
    "package_name" : "org.hibernate.orm/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "c3p0/c3p0",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "io.opentelemetry.instrumentation/opentelemetry-c3p0-0.9",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "io.opentelemetry.javaagent.instrumentation/opentelemetry-javaagent-c3p0-0.9",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "org.hibernate/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "org.hibernate.orm/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "com.mchange.v2.c3p0/c3p0",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "org.hibernate/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "org.hibernate.orm.c3p0/hibernate-c3p0",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Affected",
    "package_name" : "com.mchange/c3p0",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27830\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27830\nhttps://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e\nhttps://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv\nhttps://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal\nhttps://www.mchange.com/projects/c3p0/#configuring_security\nhttps://www.mchange.com/projects/c3p0/#security-note" ],
  "name" : "CVE-2026-27830",
  "csaw" : false
}