Skip to main content

jackson-databind EUVDEUVD-2026-38591

| CVE-2026-54515 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-23 security-advisories@github.com GHSA-5jmj-h7xm-6q6v
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-delivered JSON triggers bypass without credentials; integrity-only impact limited to per-property field write, no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:35 vuln.today
Analysis Generated
Jun 23, 2026 - 21:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2,974 maven packages depend on tools.jackson.core:jackson-databind (825 direct, 2,151 indirect)

Ecosystem-wide dependent count for version 3.1.0.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.

AnalysisAI

Per-property @JsonIgnoreProperties filtering in jackson-databind is silently bypassed when the same property also carries @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES), enabling unauthenticated network attackers (per CVSS AV:N/PR:N) to write to fields the application explicitly excluded from deserialization. The flaw spans versions from 2.8.0 through the 2.18.x, 2.19-2.21.x, and 3.1.x release lines and constitutes a mass-assignment integrity risk wherever ignored fields guard sensitive state such as privilege or role attributes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint deserializing JSON into class with @JsonIgnoreProperties + @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) combo
Delivery
Craft JSON payload including the nominally-ignored field
Exploit
Submit payload to application
Execution
Case-insensitive BeanPropertyMap rebuild restores excluded field in contextual deserializer
Persist
Jackson writes attacker-controlled value into protected field
Impact
Mass-assignment integrity impact realized

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific per-property annotations present simultaneously on the same Java field or bean property within the deserializing class: (1) @JsonIgnoreProperties listing the target field name as an exclusion, and (2) @JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES) enabling case-insensitive matching for that property. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (score 5.3 Medium) accurately captures that the attacker merely sends crafted JSON over the network with no credentials, producing a limited integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submitting JSON to a Spring Boot REST endpoint discovers (or infers from source leakage) that the target DTO uses a Container class where an AdminDto field is annotated with both @JsonIgnoreProperties("adminKey") and @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES). The attacker includes "adminKey":"SUPERUSER" in the nested JSON payload; the case-insensitive property map rebuild silently restores the excluded field in the deserializer, and the application writes the attacker-supplied value into adminKey - potentially granting elevated privileges within the session. …
Remediation The primary remediation is to upgrade jackson-databind to 2.18.9, 2.21.5, or 3.1.4 as appropriate for the release line in use; for the 3.x tools.jackson.core group ID, upgrade to 3.1.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-38591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy