Skip to main content

jackson-databind EUVDEUVD-2026-38593

| CVE-2026-54513 HIGH
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-23 security-advisories@github.com GHSA-rmj7-2vxq-3g9f
8.1
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable JSON input with no auth, but AC:H because exploitation requires a specific PTV builder configuration and a usable classpath gadget; full CIA impact via deserialization.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:32 vuln.today
Analysis Generated
Jun 23, 2026 - 21:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7,599 maven packages depend on com.fasterxml.jackson.core:jackson-databind (2,127 direct, 5,567 indirect)
  • 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)

Ecosystem-wide dependent count for version 2.10.0 and other introduced versions.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

AnalysisAI

Allowlist bypass in jackson-databind's BasicPolymorphicTypeValidator (PTV) allows attackers to instantiate non-allowlisted classes by wrapping them in arrays (e.g., EvilType[]), defeating a control intended to block deserialization gadget chains. Affects versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3 when applications use allowIfSubTypeIsArray() alongside an explicit concrete-type allowlist. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint accepting polymorphic JSON
Delivery
Confirm PTV uses allowIfSubTypeIsArray
Exploit
Craft array payload wrapping denied gadget type
Execution
Submit JSON to deserializer
Persist
PTV approves array, instantiates component without recheck
Impact
Gadget executes attacker-controlled side effect

Vulnerability AssessmentAI

Exploitation Requires the target application to (1) use jackson-databind in an affected version range, (2) construct a BasicPolymorphicTypeValidator that calls allowIfSubTypeIsArray() in combination with an explicit concrete-type allowlist (allowIfSubType), (3) enable polymorphic deserialization via activateDefaultTyping or @JsonTypeInfo against attacker-controlled JSON, and (4) have a usable gadget class available on the classpath for meaningful impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H) - high impact across CIA but AC:H reflects that exploitation requires the application to (a) use BasicPolymorphicTypeValidator, (b) explicitly call allowIfSubTypeIsArray(), and (c) deserialize attacker-controlled JSON into a polymorphic type without per-element type IDs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits JSON to an endpoint that deserializes into a polymorphic field guarded by a PTV configured with allowIfSubTypeIsArray() plus a strict element allowlist; the attacker supplies an array of a non-allowlisted gadget class (e.g., '["java.lang.Object",[{...EvilType payload...}]]'), which the PTV approves at the array level and Jackson then instantiates each component as the denied class via plain bean deserialization. If the classpath contains a known gadget (JNDI lookup, SSRF, file write), this yields the same outcome as historical jackson-databind RCE chains. …
Remediation Vendor-released patches: upgrade to jackson-databind 2.18.8, 2.21.4, or 3.1.4 depending on your branch (released 2026-06-04, see GHSA-rmj7-2vxq-3g9f and PRs #5983 and #5984). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all internal services and third-party dependencies for jackson-databind usage across affected versions (2.10.0-2.18.7, 2.19.0-2.21.3, 3.0.0-3.1.3); identify services explicitly using allowIfSubTypeIsArray(). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-38593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy