Cyber Resilience

CVE-2026-27727

HighPublic PoCRCEUpdated

Published: 25 February 2026

Published
25 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 43.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27727 is a high-severity Injection (CWE-74) vulnerability in Mchange Mchange Commons Java. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27727 is a critical vulnerability in the mchange-commons-java library, which provides Java utilities and includes an independent implementation mirroring early JNDI functionality. This allows remote code download and execution via support for remote factoryClassLocation values in maliciously crafted javax.naming.Reference objects or serialized objects. The issue affects versions prior to 0.4.0, particularly when the library is on the application CLASSPATH, as seen in dependent libraries like c3p0. Although JDK implementations of similar JNDI dereferencing were hardened by defaulting com.sun.jndi.ldap.object.trustURLCodebase to false, mchange-commons-java's separate code bypasses this protection.

An attacker can exploit this remotely over the network with low complexity, requiring no privileges or user interaction (CVSS 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By provoking an application to process a malicious Reference or serialized object, the attacker triggers the library to download and invoke arbitrary remote code, achieving full remote code execution (RCE) with high impact on confidentiality, integrity, and availability. Associated with CWE-74, exploitation targets applications using vulnerable versions of mchange-commons-java or dependents like c3p0.

Advisories recommend upgrading to mchange-commons-java version 0.4.0 or later, where JNDI functionality is gated by configuration parameters defaulting to restrictive values, mirroring the JDK's mitigation approach. No known workarounds exist, and versions prior to 0.4.0 should be removed from application CLASSPATHs. Relevant guidance appears in the library's security advisories and c3p0 documentation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an…

more

application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution by exploiting a public-facing application via malicious JNDI-like Reference or serialized objects over the network, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25814Shared CWE-74
CVE-2026-7770Shared CWE-74
CVE-2022-31631Shared CWE-74
CVE-2026-26002Shared CWE-74
CVE-2026-2019Shared CWE-74
CVE-2026-32695Shared CWE-74
CVE-2024-39604Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2025-64428Shared CWE-74
CVE-2026-6279Shared CWE-74

Affected Assets

mchange
mchange commons java
≤ 0.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by mandating upgrades to mchange-commons-java version 0.4.0 or later where JNDI functionality defaults to restrictive settings.

prevent

SA-22 prohibits unsupported system components, preventing inclusion of vulnerable pre-0.4.0 mchange-commons-java or dependents like c3p0 on application CLASSPATHs.

detect

RA-5 vulnerability monitoring and scanning identifies systems with vulnerable mchange-commons-java versions, enabling targeted remediation.

References