CVE-2026-54911
Received Received - Intake
UltraJSON UTF-8 Decoding Bypass via reject_bytes

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity issues. This vulnerability is fixed in 5.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultrajson ultrajson 5.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in UltraJSON, a fast JSON encoder and decoder written in pure C with Python bindings. Before version 5.13.0, the functions ujson.dumps(), ujson.dump(), and ujson.encode() had an option reject_bytes=False that could accept malformed or truncated UTF-8 byte sequences. Instead of rejecting these invalid sequences, the functions would silently rewrite them into different Unicode characters. This behavior leads to input validation bypass and data integrity issues.

Impact Analysis

This vulnerability can impact you by allowing malformed or truncated UTF-8 byte sequences to be accepted and silently altered rather than rejected. This can cause input validation bypass, meaning that invalid or malicious data might be processed without detection. Additionally, it can lead to data integrity issues because the original data may be changed unexpectedly during encoding or decoding.

Mitigation Strategies

To mitigate this vulnerability, upgrade UltraJSON (ujson) to version 5.13.0 or later, where the issue with malformed or truncated UTF-8 byte sequences being silently rewritten is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart