Denial-of-Service Vulnerability in Jackson Databind Library by FasterXML
CVE-2026-50193

6.3MEDIUM

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-50193?

The Jackson Databind library, utilized for JSON data-binding and tree-model operations, is susceptible to a Denial-of-Service attack when processing deeply nested JSON. Versions 2.13.0 through 2.14.0 may encounter significant resource consumption if a service reads and writes deeply nested JSON structures through the ObjectMapper.readTree() and JsonNode.toString() methods. Attackers can exploit this vulnerability by sending JSON data with extensive nesting levels, leading to resource exhaustion. This issue was addressed in version 2.14.0.

Affected Version(s)

jackson-databind >= 2.10.0, < 2.14.0

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/issues/3447
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/commit/a1fa...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.