Polymorphic Deserialization Vulnerability in Jackson Databind
CVE-2026-54512

8.1HIGH

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54512?

A vulnerability exists in Jackson Databind due to inadequate validation of nested type arguments during polymorphic deserialization. This issue arises when polymorphic typing is enabled, and type identifiers include generic parameters. The system only validates the raw container class name against the configured PolymorphicTypeValidator (PTV), allowing an attacker to craft malicious JSON that can instantiate a disallowed class type as a generic parameter within an allowed container. Consequently, this bypasses the PTV allow-list, leading to potential unauthorized access and manipulation of application data. The vulnerability has been rectified in versions 2.18.8, 2.21.4, and 3.1.4.

Affected Version(s)

jackson-databind >= 2.10.0, < 2.18.8 < 2.10.0, 2.18.8

jackson-databind >= 2.19.0, < 2.21.4 < 2.19.0, 2.21.4

jackson-databind >= 3.0.0, < 3.1.4 < 3.0.0, 3.1.4

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/issues/5988
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/commit/434d...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.