CVE-2026-54512
published 2026-06-23CVE-2026-54512: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and…
PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.62%
45.1th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.10.0 < 2.18.8 | 2.18.8 |
| fasterxml | jackson-databind | >= 2.19.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 incomplete blacklist (ID 5988 / EUVD-2026-38595)
vuldb·2026-06-23·CVSS 8.1
CVE-2026-54512 [HIGH] FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 incomplete blacklist (ID 5988 / EUVD-2026-38595)
A vulnerability described as critical has been identified in FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3. Affected is an unknown function. Executing a manipulation can lead to incomplete blacklist.
This vulnerability is tracked as CVE-2026-54512. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
ghsa·2026-06-23
CVE-2026-54512 [HIGH] CWE-184 jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
`jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `` when only `java.util.ArrayList` is allow-listed. The container passes the PTV check; `com.evil.Gadget` is loaded via `Class.forName(name, true, loader)`, instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.
This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifest
Red Hat
jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
vendor_redhat·2026-06-23·CVSS 8.1
CVE-2026-54512 [HIGH] CWE-502 jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerabili
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54512 jackson-jaxrs-providers: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 jackson-jaxrs-providers: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 jackson-jaxrs-providers: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-lis
Bugzilla
CVE-2026-54512 jackson-bom: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 jackson-bom: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 jackson-bom: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The con
Bugzilla
CVE-2026-54512 dogtag-pki: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 dogtag-pki: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 dogtag-pki: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The cont
Bugzilla
CVE-2026-54512 resteasy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 resteasy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 resteasy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The contai
Bugzilla
CVE-2026-54512 jackson-modules-base: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 jackson-modules-base: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 jackson-modules-base: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed
Bugzilla
CVE-2026-54512 google-gson: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 google-gson: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 google-gson: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The con
Bugzilla
CVE-2026-54512 python-avro: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 python-avro: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 python-avro: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The con
Bugzilla
CVE-2026-54512 log4j: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 log4j: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 log4j: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container
Bugzilla
CVE-2026-54512 ceph: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 ceph: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 ceph: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container
Bugzilla
CVE-2026-54512 byte-buddy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 byte-buddy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 byte-buddy: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The cont
Bugzilla
CVE-2026-54512 jetty: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
bugzilla·2026-06-30·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 jetty: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
CVE-2026-54512 jetty: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container
Bugzilla
CVE-2026-54512 jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
bugzilla·2026-06-23·CVSS 8.1
CVE-2026-54512 [HIGH] CVE-2026-54512 jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
CVE-2026-54512 jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. T
https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5https://github.com/FasterXML/jackson-databind/issues/5988https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qmhttps://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm
2026-06-23
Published