Vulnerability-Lookup

CVE-2026-54513 (GCVE-0-2026-54513)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:53 – Updated: 2026-06-30 03:17

Title

jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

Summary

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-184 - Incomplete List of Disallowed Inputs

Assigner

GitHub_M

References

9 references

URL	Tags
https://github.com/FasterXML/jackson-databind/sec…	x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/iss…	x_refsource_MISC
https://github.com/FasterXML/jackson-databind/iss…	x_refsource_MISC
https://github.com/FasterXML/jackson-databind/pull/5984	x_refsource_MISC
https://github.com/FasterXML/jackson-databind/com…	x_refsource_MISC
https://github.com/FasterXML/jackson-databind/com…	x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2026-54513	vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2492010	issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v…	x_sadp-csaf-vex

Impacted products

5 products

Vendor	Product	Version
FasterXML	jackson-databind	Affected: >= 2.10.0, < 2.18.8 Affected: >= 2.19.0, < 2.21.4 Affected: >= 3.0.0, < 3.1.4
Red Hat	Red Hat Certificate System 10	cpe:/a:redhat:certificate_system:10
Red Hat	Red Hat Enterprise Linux 10	cpe:/o:redhat:enterprise_linux:10
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54513",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:45:02.581065Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:45:22.699Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:certificate_system:10"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Certificate System 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-23T20:53:52.543Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-184",
                "description": "Incomplete List of Disallowed Inputs",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T03:17:50.345Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-54513"
          },
          {
            "name": "RHBZ#2492010",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492010"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-23T22:01:34.437Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-23T20:53:52.543Z",
            "value": "Made public."
          }
        ],
        "title": "jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jackson-databind",
          "vendor": "FasterXML",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.18.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.19.0, \u003c 2.21.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:57:16.381Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/issues/5981",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/5981"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/issues/5983",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/5983"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/pull/5984",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/pull/5984"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"
        }
      ],
      "source": {
        "advisory": "GHSA-rmj7-2vxq-3g9f",
        "discovery": "UNKNOWN"
      },
      "title": "jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54513",
    "datePublished": "2026-06-23T20:53:52.543Z",
    "dateReserved": "2026-06-15T18:01:15.514Z",
    "dateUpdated": "2026-06-30T03:17:50.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-54513",
      "date": "2026-06-29",
      "epss": "0.00563",
      "percentile": "0.42568"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-54513\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-23T21:17:02.333\",\"lastModified\":\"2026-06-30T03:21:03.130\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"FasterXML\",\"product\":\"jackson-databind\",\"versions\":[{\"version\":\"\u003e= 2.10.0, \u003c 2.18.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 2.19.0, \u003c 2.21.4\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.0.0, \u003c 3.1.4\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Certificate System 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:certificate_system:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-24T14:45:02.581065Z\",\"id\":\"CVE-2026-54513\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.10.0\",\"versionEndExcluding\":\"2.18.8\",\"matchCriteriaId\":\"925984A4-A2EF-4681-804A-F830B33D6876\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.19.0\",\"versionEndExcluding\":\"2.21.4\",\"matchCriteriaId\":\"59601D96-4AB4-4B53-8DEC-305A6D442E6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.4\",\"matchCriteriaId\":\"5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C\"}]}]}],\"references\":[{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/5981\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/5983\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/pull/5984\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-54513\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2492010\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:certificate_system:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Certificate System 10\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-06-23T22:01:34.437Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-06-23T20:53:52.543Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-06-23T20:53:52.543Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-54513\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2492010\", \"name\": \"RHBZ#2492010\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.\"}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"Incomplete List of Disallowed Inputs\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T03:17:50.345Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54513\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T14:45:02.581065Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T14:45:13.067Z\"}}], \"cna\": {\"title\": \"jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)\", \"source\": {\"advisory\": \"GHSA-rmj7-2vxq-3g9f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FasterXML\", \"product\": \"jackson-databind\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.10.0, \u003c 2.18.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.19.0, \u003c 2.21.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.1.4\"}]}], \"references\": [{\"url\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f\", \"name\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/5981\", \"name\": \"https://github.com/FasterXML/jackson-databind/issues/5981\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/5983\", \"name\": \"https://github.com/FasterXML/jackson-databind/issues/5983\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/pull/5984\", \"name\": \"https://github.com/FasterXML/jackson-databind/pull/5984\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5\", \"name\": \"https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e\", \"name\": \"https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T20:57:16.381Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-54513\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T03:17:50.345Z\", \"dateReserved\": \"2026-06-15T18:01:15.514Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T20:53:52.543Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-RMJ7-2VXQ-3G9F

Vulnerability from github – Published: 2026-06-23 21:22 – Updated: 2026-06-23 21:22

Summary

jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

Details

Summary

BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.

Impact

Applications using BasicPolymorphicTypeValidator with allowIfSubTypeIsArray() as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.

Affected / Patched (verified via `git tag --contains`)

2.18 line: >= 2.10.0, < 2.18.8 -> fixed in 2.18.8
2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity / CWE

Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.

Upstream fix

FasterXML/jackson-databind#5981; fix PR #5983 (24529da), 2.18 backport PR #5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Severity

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.19.0"
            },
            {
              "fixed": "2.21.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "tools.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T21:22:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n`BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an explicit concrete-type allowlist therefore still permits `EvilType[]` even though `EvilType` is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.\n\n## Impact\nApplications using `BasicPolymorphicTypeValidator` with `allowIfSubTypeIsArray()` as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.\n\n## Affected / Patched (verified via `git tag --contains`)\n- 2.18 line: `\u003e= 2.10.0, \u003c 2.18.8` -\u003e fixed in **2.18.8**\n- 2.19-2.21 line: `\u003e= 2.19.0, \u003c 2.21.4` -\u003e fixed in **2.21.4**\n- 3.x line: `\u003e= 3.0.0, \u003c 3.1.4` -\u003e fixed in **3.1.4**\n\n`PolymorphicTypeValidator` was added in 2.10.0 so vulnerability N/A for versions prior to that.\n\n## Severity / CWE\nMaintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.\n\n## Upstream fix\nFasterXML/jackson-databind#5981; fix PR #5983 (`24529da`), 2.18 backport PR #5984 (`01d1692`). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.\n\n## Credits\nOmkhar Arasaratnam (@omkhar) - finder.",
  "id": "GHSA-rmj7-2vxq-3g9f",
  "modified": "2026-06-23T21:22:15Z",
  "published": "2026-06-23T21:22:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/5981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/5983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/pull/5984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)"
}

OPENSUSE-SU-2026:11118-1

Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00

Summary

jackson-databind-2.18.8-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: jackson-databind-2.18.8-1.1 on GA media

Description of the patch: These are all security issues fixed in the jackson-databind-2.18.8-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-11118

CVE-2026-54513

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-54514

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-54515

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

11 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-54513/	self
https://www.suse.com/security/cve/CVE-2026-54514/	self
https://www.suse.com/security/cve/CVE-2026-54515/	self
https://www.suse.com/security/cve/CVE-2026-54513	external
https://bugzilla.suse.com/1268898	external
https://www.suse.com/security/cve/CVE-2026-54514	external
https://bugzilla.suse.com/1268899	external
https://www.suse.com/security/cve/CVE-2026-54515	external
https://bugzilla.suse.com/1268902	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jackson-databind-2.18.8-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jackson-databind-2.18.8-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-11118",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11118-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54513 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54513/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54514 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54514/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-54515 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-54515/"
      }
    ],
    "title": "jackson-databind-2.18.8-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-25T00:00:00Z",
      "generator": {
        "date": "2026-06-25T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:11118-1",
      "initial_release_date": "2026-06-25T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-25T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.aarch64",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.aarch64",
                  "product_id": "jackson-databind-2.18.8-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.ppc64le",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.ppc64le",
                  "product_id": "jackson-databind-2.18.8-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.s390x",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.s390x",
                  "product_id": "jackson-databind-2.18.8-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.s390x",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jackson-databind-2.18.8-1.1.x86_64",
                "product": {
                  "name": "jackson-databind-2.18.8-1.1.x86_64",
                  "product_id": "jackson-databind-2.18.8-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
                "product": {
                  "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
                  "product_id": "jackson-databind-javadoc-2.18.8-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64"
        },
        "product_reference": "jackson-databind-2.18.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jackson-databind-javadoc-2.18.8-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        },
        "product_reference": "jackson-databind-javadoc-2.18.8-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-54513",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54513"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54513",
          "url": "https://www.suse.com/security/cve/CVE-2026-54513"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268898 for CVE-2026-54513",
          "url": "https://bugzilla.suse.com/1268898"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-54513"
    },
    {
      "cve": "CVE-2026-54514",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54514"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54514",
          "url": "https://www.suse.com/security/cve/CVE-2026-54514"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268899 for CVE-2026-54514",
          "url": "https://bugzilla.suse.com/1268899"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-54514"
    },
    {
      "cve": "CVE-2026-54515",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-54515"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
          "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-54515",
          "url": "https://www.suse.com/security/cve/CVE-2026-54515"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268902 for CVE-2026-54515",
          "url": "https://bugzilla.suse.com/1268902"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-2.18.8-1.1.x86_64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.aarch64",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.ppc64le",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.s390x",
            "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-25T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-54515"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-54513 (GCVE-0-2026-54513)

GHSA-RMJ7-2VXQ-3G9F

Summary

Impact

Affected / Patched (verified via git tag --contains)

Severity / CWE

Upstream fix

Credits

OPENSUSE-SU-2026:11118-1

Tags

Sightings

Nomenclature

Affected / Patched (verified via `git tag --contains`)