Skip to main content

jackson-databind EUVDEUVD-2026-38590

| CVE-2026-54516 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-23 security-advisories@github.com GHSA-9fxm-vc8v-hj55
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable via JSON endpoint, no privileges required, limited integrity impact only; no confidentiality or availability consequence per advisory.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:35 vuln.today
Analysis Generated
Jun 23, 2026 - 21:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
  • 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)

Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.

AnalysisAI

Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify JSON deserialization endpoint accepting user input
Delivery
Discover POJO with @JsonProperty getter + @JsonIgnore setter annotation pattern
Exploit
Craft JSON payload using the renamed property key
Execution
Submit payload to endpoint
Persist
_renameProperties() retains inferred FieldProperty for private backing field
Impact
Attacker value written directly to private field, bypassing @JsonIgnore

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) The target application uses jackson-databind 2.21.0-2.21.3 or 3.0.0-3.1.3 to deserialize user-controlled JSON input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, score 5.3 Medium) accurately reflects the network-reachable, zero-privilege nature of the attack surface but is contingent on an application-level prerequisite: the target POJO must use the specific @JsonProperty-on-getter plus @JsonIgnore-on-setter annotation combination. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Java application with a REST endpoint that deserializes user-supplied JSON into a POJO - where that POJO uses @JsonProperty('renamedProp') on a getter and @JsonIgnore on the setter to expose a field as serialization-only - submits a crafted POST body containing the key 'renamedProp' with an attacker-chosen value. Jackson's _renameProperties() retains the private backing field as writable, causing BeanDeserializerFactory to build a FieldProperty and write the attacker's value directly into the private field, bypassing the developer's intended read-only enforcement. …
Remediation Upgrade jackson-databind to 2.21.4 (for the 2.21.x line) or 3.1.4 (for the 3.x line), as confirmed by GHSA-9fxm-vc8v-hj55 and the upstream commit history (commits c3d56dd and e88cb17). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Share

EUVD-2026-38590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy