CVE-2026-54513
published 2026-06-23CVE-2026-54513: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and…
PriorityP349high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.68%
47.6th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dogtag-pki | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.10.0 < 2.18.8 | 2.18.8 |
| fasterxml | jackson-databind | >= 2.19.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| redhat-pki_10 | redhat-pki | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 EvilType[] incomplete blacklist (ID 5981 / EUVD-2026-38593)
vuldb·2026-06-23·CVSS 8.1
CVE-2026-54513 [HIGH] FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3 EvilType[] incomplete blacklist (ID 5981 / EUVD-2026-38593)
A vulnerability marked as critical has been reported in FasterXML jackson-databind up to 2.18.7/2.21.3/3.1.3. This vulnerability affects the function BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray. The manipulation of the argument EvilType[] leads to incomplete blacklist.
This vulnerability is listed as CVE-2026-54513. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
ghsa·2026-06-23
CVE-2026-54513 [HIGH] CWE-184 jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
## Summary
`BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an explicit concrete-type allowlist therefore still permits `EvilType[]` even though `EvilType` is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.
## Impact
Applications using `BasicPolymorphicTypeValidator` with `allowIfSubTypeIsArray()` as a safeguard get no protecti
Red Hat
jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
vendor_redhat·2026-06-23·CVSS 8.1
CVE-2026-54513 [HIGH] CWE-184 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability.
Statement: This Important flaw in `jackson-databind` allows for a security bypass, enabling arbitrary code execution. The vulnerability arises from insufficient validation of array component types by `BasicPolymorphicTypeValidator`, which permits deserialization of u
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54513 dogtag-pki: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
bugzilla·2026-06-25·CVSS 8.1
CVE-2026-54513 [HIGH] CVE-2026-54513 dogtag-pki: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
CVE-2026-54513 dogtag-pki: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
bugzilla·2026-06-25·CVSS 8.1
CVE-2026-54513 [HIGH] CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
bugzilla·2026-06-23·CVSS 8.1
CVE-2026-54513 [HIGH] CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
CVE-2026-54513 jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowli
https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8ehttps://github.com/FasterXML/jackson-databind/issues/5981https://github.com/FasterXML/jackson-databind/issues/5983https://github.com/FasterXML/jackson-databind/pull/5984https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9fhttps://access.redhat.com/security/cve/CVE-2026-54513https://bugzilla.redhat.com/show_bug.cgi?id=2492010https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json
2026-06-23
Published