CVE-2026-54512

HIGH EPSS 45.1%
Published Jun 23, 20261w ago · Modified Jun 24, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 23, 2026 1w ago
Last Modified Jun 24, 2026 1w ago

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
45.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-184
CWE-502 Deserialization of Untrusted Data Validation

References 3

  • github.com https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5
  • github.com https://github.com/FasterXML/jackson-databind/issues/5988
  • github.com https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.