CVE-2026-54512
Received Received - Intake
Polymorphic Deserialization Bypass in Jackson Databind

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container β€” for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54512
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
jackson jackson-databind From 2.10.0 (inc) to 2.18.8 (exc)
jackson jackson-databind 2.18.8
jackson jackson-databind 2.21.4
jackson jackson-databind 3.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in jackson-databind, a library used for data binding and tree-model processing in Jackson Data Processor. It involves the PolymorphicTypeValidator (PTV), which is supposed to safely control polymorphic deserialization by validating type identifiers.

When polymorphic typing is enabled and the type identifier contains generic parameters (indicated by a '<' character), the validation only checks the raw container class name before the '<'. If the container type is allowed, the full generic type string is parsed without validating the nested generic type arguments.

An attacker can exploit this by specifying a denied class as a generic type parameter inside an allowed container class. For example, if java.util.ArrayList is allowed but com.evil.Gadget is not, the attacker can use java.util.ArrayList<com.evil.Gadget>. The container passes validation, but the nested malicious class is loaded, instantiated, and populated with attacker-controlled data, bypassing the allow-list.

This flaw allows execution of unauthorized code during deserialization and is fixed in versions 2.18.8, 2.21.4, and 3.1.4 of jackson-databind.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass security controls during deserialization and instantiate arbitrary classes with attacker-controlled data.

The consequences include remote code execution, data corruption, or unauthorized access to sensitive information, as the attacker can inject malicious objects into the application.

Given the CVSS score of 8.1 with high impact on confidentiality, integrity, and availability, exploitation could lead to significant compromise of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to one of the fixed versions: 2.18.8, 2.21.4, or 3.1.4.

This vulnerability arises because the PolymorphicTypeValidator (PTV) does not validate nested generic type arguments, allowing an attacker to bypass allow-lists. Upgrading to a fixed version ensures that this validation flaw is corrected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart