Array Type Handling Vulnerability in Jackson Data Processor by FasterXML
CVE-2026-54513

8.1HIGH

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54513?

The jackson-databind library, integral to the Jackson Data Processor, features a vulnerability in its array type handling. Specifically, the method BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() fails to adequately validate the component type of an array against a configured allowlist. Consequently, this allows for the serialization of potentially malicious data types, like EvilType[], even when they are not explicitly permitted. This flaw enables Jackson to deserialize elements without sufficient validation checks, thus creating a significant risk of security breaches. The vulnerability is addressed in versions 2.18.8, 2.21.4, and 3.1.4.

Affected Version(s)

jackson-databind >= 2.10.0, < 2.18.8 < 2.10.0, 2.18.8

jackson-databind >= 2.19.0, < 2.21.4 < 2.19.0, 2.21.4

jackson-databind >= 3.0.0, < 3.1.4 < 3.0.0, 3.1.4

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/issues/5981
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/issues/5983
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.