CVE-2026-54516
Analyzed Analyzed - Analysis Complete

Jackson Databind Property Renaming Deserialization Bypass

Vulnerability report for CVE-2026-54516, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-27
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fasterxml jackson-databind From 3.0.0 (inc) to 3.1.4 (exc)
fasterxml jackson-databind From 2.21.0 (inc) to 2.21.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4, specifically in the POJOPropertiesCollector._renameProperties() method. When a property has @JsonProperty("renamed") on the getter and @JsonIgnore on the setter, the property is renamed instead of being dropped. With the default MapperFeature.INFER_PROPERTY_MUTATORS enabled, the private backing field remains accessible. During deserialization, BeanDeserializerFactory.addBeanProps() detects the backing field and creates a writable FieldProperty. This allows an attacker to supply the renamed JSON key and write directly to the backing field, bypassing the @JsonIgnore annotation on the setter.

Impact Analysis

This vulnerability allows an attacker to modify private backing fields directly during JSON deserialization, bypassing intended access controls such as @JsonIgnore on setters. This can lead to unauthorized modification of object state, potentially causing data integrity issues or unexpected behavior in applications using jackson-databind.

Mitigation Strategies

To mitigate this vulnerability, update jackson-databind to version 3.1.4 or later, where the issue is fixed.

Compliance Impact

CVE-2026-54516 allows attackers to bypass the @JsonIgnore annotation on setter methods by deserializing data directly into private fields. This can lead to unintended modification of object properties, potentially enabling property tampering or mass assignment attacks.

Such unauthorized data modification could impact the integrity and confidentiality of data processed by applications using affected versions of Jackson Databind. This may pose risks to compliance with data protection regulations like GDPR or HIPAA, which require strict controls over data access and modification.

However, the vulnerability does not lead to remote code execution and has a moderate severity (CVSS 5.3). The actual compliance impact depends on how the affected library is used within an application and the sensitivity of the data involved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart