CVE-2026-50193
published 2026-06-23CVE-2026-50193: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.0th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.10.0 < 2.14.0 | 2.14.0 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-dispatcher-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-receiver-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
ghsa·2026-06-23
CVE-2026-50193 [MEDIUM] CWE-400 jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
### Impact
Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:
1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree())
2. Writes out same (or modifided) node using `JsonNode.toString()`
which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).
### Patches
Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.
### Workarounds
Avoid serializing `JsonNode` using `toString()`: use ObjectMapper.writeValueAsString(node)
VulDB
FasterXML jackson-databind up to 2.13.x ObjectMapper.readTree resource consumption (ID 3447 / EUVD-2026-38597)
vuldb·2026-06-23·CVSS 6.3
CVE-2026-50193 [MEDIUM] FasterXML jackson-databind up to 2.13.x ObjectMapper.readTree resource consumption (ID 3447 / EUVD-2026-38597)
A vulnerability described as problematic has been identified in FasterXML jackson-databind up to 2.13.x. This issue affects the function ObjectMapper.readTree. The manipulation results in resource consumption.
This vulnerability is cataloged as CVE-2026-50193. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
Red Hat
jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
vendor_redhat·2026-06-23·CVSS 7.5
CVE-2026-50193 [HIGH] CWE-1050 jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
A flaw was found in jackson-databind, a general-purpose data-binding library for Jackson Data Processor. A remote attacker can exploit this vulnerability by
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-50193 jetty: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 jetty: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 jetty: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relativel
Bugzilla
CVE-2026-50193 jackson-bom: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 jackson-bom: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 jackson-bom: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent rel
Bugzilla
CVE-2026-50193 python-avro: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 python-avro: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 python-avro: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent rel
Bugzilla
CVE-2026-50193 resteasy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 resteasy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 resteasy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relati
Bugzilla
CVE-2026-50193 ceph: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 ceph: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 ceph: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively
Bugzilla
CVE-2026-50193 jackson-modules-base: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 jackson-modules-base: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 jackson-modules-base: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concu
Bugzilla
CVE-2026-50193 jackson-jaxrs-providers: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 jackson-jaxrs-providers: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 jackson-jaxrs-providers: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with co
Bugzilla
CVE-2026-50193 byte-buddy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 byte-buddy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 byte-buddy: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent rela
Bugzilla
CVE-2026-50193 log4j: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 log4j: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 log4j: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relativel
Bugzilla
CVE-2026-50193 dogtag-pki: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 dogtag-pki: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 dogtag-pki: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent rela
Bugzilla
CVE-2026-50193 google-gson: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
bugzilla·2026-06-30·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 google-gson: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
CVE-2026-50193 google-gson: Jackson-databind: Denial of Service via deeply nested JSON processing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent rel
Bugzilla
CVE-2026-50193 jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
bugzilla·2026-06-23·CVSS 7.5
CVE-2026-50193 [HIGH] CVE-2026-50193 jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
CVE-2026-50193 jackson-databind: Jackson-databind: Denial of Service via deeply nested JSON processing
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
2026-06-23
Published