cbcvebase.
CVE-2026-54516
published 2026-06-23

CVE-2026-54516: jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.28%
19.9th percentile
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.

Affected

67 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-27de-minimal-rhel9
ansible-automation-platform-27de-supported-rhel9
candlepinprojectcandlepin
debiandogtag-pki
debianpuppetserver
devspacesmulticluster-redirector-rhel9
devspacesopenvsx-rhel9
devspacespluginregistry-rhel9
devspacesserver-rhel9
eap74-els-openjdk11-openshift-rhel8eap74-els-openjdk11-openshift-rhel8
eap74-els-openjdk17-openshift-rhel8eap74-els-openjdk17-openshift-rhel8
eap74-els-openjdk8-openshift-rhel8eap74-els-openjdk8-openshift-rhel8
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind
fasterxmljackson-databind>= 2.21.0 < 2.21.42.21.4
fasterxmljackson-databind>= 3.0.0 < 3.1.43.1.4
jboss-eap-7eap74-els-openjdk17-openshift-rhel8
jboss-eap-7eap74-els-openjdk8-openshift-rhel8
jenkinsjenkins
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9
offline-knowledge-portalrhokp-rhel9
openshift-serverless-1kn-ekb-dispatcher-rhel9
openshift-serverless-1kn-ekb-receiver-rhel9

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.