CVE-2026-54515
Analyzed Analyzed - Analysis Complete

Deserialization Flaw in Jackson-Databind

Vulnerability report for CVE-2026-54515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 3.0.0 (inc) to 3.1.4 (exc)
fasterxml jackson-databind From 2.19.0 (inc) to 2.21.5 (exc)
fasterxml jackson-databind From 2.8.0 (inc) to 2.18.9 (exc)
fasterxml jackson-databind 2.22.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized modification of data fields that were intended to be excluded from deserialization, potentially leading to improper handling of sensitive or protected data.

Such unauthorized data modifications could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and protection of sensitive information.

Because the vulnerability enables mass-assignment-style writes to ignored properties, it may allow attackers to bypass intended data restrictions, increasing the risk of data integrity violations.

However, the vulnerability primarily affects data integrity and does not impact confidentiality or availability directly.

Detection Guidance

This vulnerability is related to the jackson-databind library's deserialization process and specifically affects applications that use case-insensitive matching with @JsonIgnoreProperties annotations. Detection involves identifying if your application uses a vulnerable version of jackson-databind and if it enables case-insensitive deserialization with @JsonIgnoreProperties.

To detect the vulnerability on your system, first check the version of jackson-databind in use. Vulnerable versions include those from 2.8.0 up to but not including 2.18.9, 2.19.0 up to but not including 2.21.5, 2.22.0 up to but not including 2.22.1, and 3.1.0 up to but not including 3.1.4.

You can run commands to identify the jackson-databind version in your project or deployed environment. For example, in a Maven project, use:

  • mvn dependency:list | grep jackson-databind

Or in a Gradle project, use:

  • gradle dependencies | grep jackson-databind

If you have access to the deployed environment's JAR files, you can check the version by inspecting the manifest or filename of the jackson-databind JAR.

To detect exploitation attempts on your network, monitor for JSON input that attempts to set properties that should be ignored by @JsonIgnoreProperties, especially when case-insensitive matching is enabled. However, there are no specific network detection commands or signatures provided in the available resources.

Executive Summary

This vulnerability exists in the jackson-databind library versions from 2.8.0 up to 2.18.9, 2.21.5, and 3.1.4. It occurs in the BeanDeserializerBase.createContextual() method where per-property @JsonIgnoreProperties exclusions are applied to remove ignored properties from the BeanPropertyMap. However, a subsequent case-insensitivity processing step incorrectly rebuilds the property map from the original unfiltered properties instead of the filtered ones, effectively restoring the ignored properties and making them writable again.

This means that properties that were supposed to be ignored during deserialization can be manipulated, potentially allowing unintended data binding behavior.

Impact Analysis

The vulnerability can lead to unintended writable access to properties that were meant to be ignored during data deserialization. This can result in improper handling of data, potentially allowing attackers to inject or modify data fields that should have been excluded.

Such behavior can cause integrity issues in applications relying on jackson-databind for JSON processing, possibly leading to security risks such as data corruption or unauthorized data manipulation.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade jackson-databind to one of the fixed versions: 2.18.9, 2.21.5, or 3.1.4.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart