CVE-2026-54512
Analyzed Analyzed - Analysis Complete

Polymorphic Deserialization Bypass in Jackson Databind

Vulnerability report for CVE-2026-54512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container β€” for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-27
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 2.10.0 (inc) to 2.18.8 (exc)
fasterxml jackson-databind From 2.19.0 (inc) to 2.21.4 (exc)
fasterxml jackson-databind From 3.0.0 (inc) to 3.1.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-54512 allows attackers to bypass type restrictions in jackson-databind's polymorphic deserialization, potentially leading to arbitrary code execution or unauthorized data manipulation if untrusted JSON input is processed. This security flaw could result in unauthorized access or modification of sensitive data.

Such unauthorized access or data manipulation risks could impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity.

Therefore, applications using vulnerable versions of jackson-databind that accept untrusted JSON and rely on polymorphic deserialization may face increased risk of non-compliance with these standards due to potential data breaches or integrity violations.

Executive Summary

This vulnerability exists in jackson-databind, a library used for data binding and tree-model processing in Jackson Data Processor. It involves the PolymorphicTypeValidator (PTV), which is supposed to safely control polymorphic deserialization by validating type identifiers.

When polymorphic typing is enabled and the type identifier contains generic parameters (indicated by a '<' character), the validation only checks the raw container class name before the '<'. If the container type is allowed, the full generic type string is parsed without validating the nested generic type arguments.

An attacker can exploit this by specifying a denied class as a generic type parameter inside an allowed container class. For example, if java.util.ArrayList is allowed but com.evil.Gadget is not, the attacker can use java.util.ArrayList<com.evil.Gadget>. The container passes validation, but the nested malicious class is loaded, instantiated, and populated with attacker-controlled data, bypassing the allow-list.

This flaw allows execution of unauthorized code during deserialization and is fixed in versions 2.18.8, 2.21.4, and 3.1.4 of jackson-databind.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass security controls during deserialization and instantiate arbitrary classes with attacker-controlled data.

The consequences include remote code execution, data corruption, or unauthorized access to sensitive information, as the attacker can inject malicious objects into the application.

Given the CVSS score of 8.1 with high impact on confidentiality, integrity, and availability, exploitation could lead to significant compromise of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to one of the fixed versions: 2.18.8, 2.21.4, or 3.1.4.

This vulnerability arises because the PolymorphicTypeValidator (PTV) does not validate nested generic type arguments, allowing an attacker to bypass allow-lists. Upgrading to a fixed version ensures that this validation flaw is corrected.

Detection Guidance

This vulnerability arises from the jackson-databind library versions prior to 2.18.8, 2.21.4, and 3.1.4 where the PolymorphicTypeValidator fails to validate nested generic type parameters during polymorphic deserialization.

To detect if your system is vulnerable, first identify if your application uses jackson-databind versions between 2.10.0 and 2.18.7, or between 2.19.0 and 2.21.3, or between 3.0.0 and 3.1.3.

You can check the jackson-databind version in your project dependencies using commands like:

  • For Maven: mvn dependency:tree | grep jackson-databind
  • For Gradle: ./gradlew dependencies | grep jackson-databind

To detect exploitation attempts on your network or system, monitor for suspicious JSON payloads that include polymorphic type identifiers with generic parameters, such as type IDs containing the '<' character (e.g., java.util.ArrayList<com.evil.Gadget>).

You can use network monitoring tools or log analysis to search for such payloads. For example, using grep on application logs or network captures:

  • grep -r '\<.*\>' /path/to/logs
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'java.util.ArrayList<'

Additionally, review your application logs for deserialization errors or unexpected class instantiations that could indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart