CVE-2026-54515
published 2026-06-23CVE-2026-54515: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.34%
26.3th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Affected
70 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.19.0 < 2.21.5 | 2.21.5 |
| fasterxml | jackson-databind | >= 2.8.0 < 2.18.9 | 2.18.9 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.18.8/2.21.4/3.1.3 BeanDeserializerBase.createContextual dynamically-determined object attributes (ID 5962 / EUVD-2026-38591)
vuldb·2026-06-24·CVSS 5.3
CVE-2026-54515 [MEDIUM] FasterXML jackson-databind up to 2.18.8/2.21.4/3.1.3 BeanDeserializerBase.createContextual dynamically-determined object attributes (ID 5962 / EUVD-2026-38591)
A vulnerability classified as problematic has been found in FasterXML jackson-databind up to 2.18.8/2.21.4/3.1.3. Affected by this issue is the function BeanDeserializerBase.createContextual. This manipulation causes dynamically-determined object attributes.
The identification of this vulnerability is CVE-2026-54515. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
ghsa·2026-06-23
CVE-2026-54515 [MEDIUM] CWE-915 jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
## Summary
In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by `@JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)`) rebuilds from `this._beanProperties` (the original, unfiltered map) instead of `contextual._beanProperties`, then overwrites the filtered map — restoring every property `_handleByNameInclusion` had just removed. The ignored property becomes writable again.
## Impact
An application that both enables case-insensitive matching and relies
Red Hat
jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
vendor_redhat·2026-06-23·CVSS 5.3
CVE-2026-54515 [MEDIUM] CWE-915 jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The igno
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54515 log4j: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 log4j: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 log4j: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CA
Bugzilla
CVE-2026-54515 dogtag-pki: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 dogtag-pki: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 dogtag-pki: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCE
Bugzilla
CVE-2026-54515 python-avro: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 python-avro: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 python-avro: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACC
Bugzilla
CVE-2026-54515 google-gson: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 google-gson: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 google-gson: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACC
Bugzilla
CVE-2026-54515 jackson-modules-base: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 jackson-modules-base: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 jackson-modules-base: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonF
Bugzilla
CVE-2026-54515 jetty: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 jetty: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 jetty: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CA
Bugzilla
CVE-2026-54515 byte-buddy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 byte-buddy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 byte-buddy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCE
Bugzilla
CVE-2026-54515 jackson-bom: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 jackson-bom: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 jackson-bom: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACC
Bugzilla
CVE-2026-54515 ceph: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 ceph: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 ceph: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CAS
Bugzilla
CVE-2026-54515 resteasy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 resteasy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 resteasy: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT
Bugzilla
CVE-2026-54515 jackson-jaxrs-providers: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 jackson-jaxrs-providers: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
CVE-2026-54515 jackson-jaxrs-providers: jackson-databind: Ignored properties can be unexpectedly modified [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @Js
Bugzilla
CVE-2026-54515 jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-54515 [MEDIUM] CVE-2026-54515 jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
CVE-2026-54515 jackson-databind: jackson-databind: Ignored properties can be unexpectedly modified
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just re
2026-06-23
Published