CVE-2026-54516
published 2026-06-23CVE-2026-54516: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.28%
19.9th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
Affected
67 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-27 | de-minimal-rhel9 | — | — |
| ansible-automation-platform-27 | de-supported-rhel9 | — | — |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | multicluster-redirector-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| devspaces | server-rhel9 | — | — |
| eap74-els-openjdk11-openshift-rhel8 | eap74-els-openjdk11-openshift-rhel8 | — | — |
| eap74-els-openjdk17-openshift-rhel8 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| eap74-els-openjdk8-openshift-rhel8 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | — | — |
| fasterxml | jackson-databind | >= 2.21.0 < 2.21.4 | 2.21.4 |
| fasterxml | jackson-databind | >= 3.0.0 < 3.1.4 | 3.1.4 |
| jboss-eap-7 | eap74-els-openjdk17-openshift-rhel8 | — | — |
| jboss-eap-7 | eap74-els-openjdk8-openshift-rhel8 | — | — |
| jenkins | jenkins | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-dispatcher-rhel9 | — | — |
| openshift-serverless-1 | kn-ekb-receiver-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FasterXML jackson-databind up to 2.21.3/3.1.3 POJOPropertiesCollector._renameProperties backing dynamically-determined object attributes (GHSA-9fxm-vc8v-hj55 / EUVD-2026-38590)
vuldb·2026-06-24·CVSS 5.3
CVE-2026-54516 [MEDIUM] FasterXML jackson-databind up to 2.21.3/3.1.3 POJOPropertiesCollector._renameProperties backing dynamically-determined object attributes (GHSA-9fxm-vc8v-hj55 / EUVD-2026-38590)
A vulnerability classified as problematic was found in FasterXML jackson-databind up to 2.21.3/3.1.3. This affects the function POJOPropertiesCollector._renameProperties. Such manipulation of the argument backing leads to dynamically-determined object attributes.
This vulnerability is referenced as CVE-2026-54516. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
ghsa·2026-06-23
CVE-2026-54516 [MEDIUM] CWE-915 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
## Summary
`POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field is retained; during deserialization `BeanDeserializerFactory.addBeanProps()` sees `hasField()==true`, builds a `FieldProperty`, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the `@JsonIgnore` on the setter.
## Impact
POJOs combining a renamed getter with an ignored setter (a read-only-over-the-wire pattern) have that field silently set from attacker inpu
Red Hat
jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
vendor_redhat·2026-06-23·CVSS 5.3
CVE-2026-54516 [MEDIUM] CWE-915 jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulne
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54516 google-gson: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 google-gson: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 google-gson: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanD
Bugzilla
CVE-2026-54516 jackson-jaxrs-providers: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 jackson-jaxrs-providers: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 jackson-jaxrs-providers: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deseriali
Bugzilla
CVE-2026-54516 jackson-modules-base: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 jackson-modules-base: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 jackson-modules-base: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserializat
Bugzilla
CVE-2026-54516 resteasy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 resteasy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 resteasy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDese
Bugzilla
CVE-2026-54516 dogtag-pki: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 dogtag-pki: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 dogtag-pki: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDe
Bugzilla
CVE-2026-54516 ceph: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 ceph: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 ceph: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserial
Bugzilla
CVE-2026-54516 byte-buddy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 byte-buddy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 byte-buddy: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDe
Bugzilla
CVE-2026-54516 python-avro: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 python-avro: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 python-avro: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanD
Bugzilla
CVE-2026-54516 jetty: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 jetty: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 jetty: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeseria
Bugzilla
CVE-2026-54516 jackson-bom: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 jackson-bom: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 jackson-bom: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanD
Bugzilla
CVE-2026-54516 log4j: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
bugzilla·2026-06-30·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 log4j: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
CVE-2026-54516 log4j: jackson-databind: Security bypass due to improper handling of renamed properties [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeseria
Bugzilla
CVE-2026-54516 jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-54516 [MEDIUM] CVE-2026-54516 jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
CVE-2026-54516 jackson-databind: jackson-databind: Security bypass due to improper handling of renamed properties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the set
https://github.com/FasterXML/jackson-databind/commit/c3d56dd25d52319828147c5b9aeabf2d485c250ahttps://github.com/FasterXML/jackson-databind/commit/e88cb17006b6af4883b973058f0bb6486e5074afhttps://github.com/FasterXML/jackson-databind/pull/5967https://github.com/FasterXML/jackson-databind/pull/5968https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-9fxm-vc8v-hj55
2026-06-23
Published