CVE-2026-54516
Received Received - Intake
Jackson Databind Property Renaming Deserialization Bypass

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54516
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jackson jackson-databind From 2.21.0 (inc) to 2.21.4 (inc)
jackson jackson-databind 3.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4, specifically in the POJOPropertiesCollector._renameProperties() method. When a property has @JsonProperty("renamed") on the getter and @JsonIgnore on the setter, the property is renamed instead of being dropped. With the default MapperFeature.INFER_PROPERTY_MUTATORS enabled, the private backing field remains accessible. During deserialization, BeanDeserializerFactory.addBeanProps() detects the backing field and creates a writable FieldProperty. This allows an attacker to supply the renamed JSON key and write directly to the backing field, bypassing the @JsonIgnore annotation on the setter.

Impact Analysis

This vulnerability allows an attacker to modify private backing fields directly during JSON deserialization, bypassing intended access controls such as @JsonIgnore on setters. This can lead to unauthorized modification of object state, potentially causing data integrity issues or unexpected behavior in applications using jackson-databind.

Mitigation Strategies

To mitigate this vulnerability, update jackson-databind to version 3.1.4 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart