Skip to main content

jackson-databind CVE-2026-54512

| EUVDEUVD-2026-38595 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-23 security-advisories@github.com GHSA-j3rv-43j4-c7qm
8.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable JSON endpoint with no auth or UI; AC:H because exploitation needs polymorphic typing, a configured PTV, and a usable classpath gadget; full CIA impact via arbitrary instantiation.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:31 vuln.today
Analysis Generated
Jun 23, 2026 - 21:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7,599 maven packages depend on com.fasterxml.jackson.core:jackson-databind (2,127 direct, 5,567 indirect)
  • 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)

Ecosystem-wide dependent count for version 2.10.0 and other introduced versions.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container - for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

AnalysisAI

PolymorphicTypeValidator bypass in jackson-databind versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 allows attackers controlling JSON type identifiers to smuggle denied gadget classes through allow-listed generic containers, leading to arbitrary class instantiation and potential remote code execution. The flaw stems from DatabindContext._resolveAndValidateGeneric() validating only the raw container class name while skipping all nested generic type arguments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify endpoint accepting polymorphic JSON
Delivery
Probe configured PTV allow-list and classpath gadgets
Exploit
Craft type ID with allowed container wrapping denied gadget
Install
Submit JSON triggering generic deserialization
C2
Gadget class loaded via Class.forName and instantiated
Execute
Setter-driven side effects execute (JNDI/JDBC/template)
Impact
Remote code execution or data exfiltration

Vulnerability AssessmentAI

Exploitation Application must (1) use jackson-databind 2.10.0-2.18.7, 2.19.0-2.21.3, or 3.0.0-3.1.3, (2) have polymorphic typing enabled either via activateDefaultTyping/enableDefaultTyping or via @JsonTypeInfo with Id.CLASS or Id.MINIMAL_CLASS on a field/type reachable from untrusted input, (3) have a configured PolymorphicTypeValidator that allow-lists at least one container class capable of holding generic parameters (List, Map, Set, arrays, etc.) - bypass is meaningless if no PTV is configured, since deserialization is already unrestricted there. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.1 (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H) reflects high impact tempered by AC:H, which is appropriate because exploitation depends on the application (a) enabling polymorphic typing, (b) accepting attacker-controlled type IDs, and (c) having a suitable gadget class on the classpath. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A web service deserializes user-submitted JSON into a wrapper field typed as Object using polymorphic typing, hardened with BasicPolymorphicTypeValidator.allowIfSubType("java.util.ArrayList"). The attacker submits a type ID such as java.util.ArrayList<com.example.GadgetOnClasspath> with JSON properties that drive the gadget's setters; the container clears PTV, the parameterized gadget class is loaded and instantiated, and its side effects (JNDI lookup, JDBC URL coercion, template compilation) execute under the application's identity.
Remediation Vendor-released patches are available: upgrade to jackson-databind 2.18.8, 2.21.4, or 3.1.4 depending on your release line, per the GHSA-j3rv-43j4-c7qm advisory and commit https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Complete an inventory scan of all Java applications and dependencies to identify jackson-databind versions 2.10.0-2.18.7, 2.19.0-2.21.3, and 3.0.0-3.1.3; prioritize critical business systems and customer-facing applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

CVE-2026-54512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy