CVE-2026-54513

HIGH EPSS 42.6%
Published Jun 23, 20261w ago · Modified Jun 24, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 23, 2026 1w ago
Last Modified Jun 24, 2026 1w ago

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
42.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-184

References 6

  • github.com https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5
  • github.com https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e
  • github.com https://github.com/FasterXML/jackson-databind/issues/5981
  • github.com https://github.com/FasterXML/jackson-databind/issues/5983
  • github.com https://github.com/FasterXML/jackson-databind/pull/5984
  • github.com https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.