Data-Binding Issue in Jackson Data Processor Affects Multiple Versions
CVE-2026-54515

5.3MEDIUM

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54515?

A vulnerability in jackson-databind allows for improper handling of @JsonIgnoreProperties annotations, leading to unintended exposure of ignored properties. The BeanDeserializerBase.createContextual() method fails to apply exclusions correctly, allowing properties marked as ignored to be writable again, which poses a security risk. This issue has been resolved in versions 2.18.9, 2.21.5, and 3.1.4, making it crucial for users to update to these versions to ensure the integrity of their data-binding processes.

Affected Version(s)

jackson-databind >= 2.8.0, < 2.18.9 < 2.8.0, 2.18.9

jackson-databind >= 2.19.0, < 2.21.5 < 2.19.0, 2.21.5

jackson-databind >= 3.1.0, < 3.1.4 < 3.1.0, 3.1.4

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/issues/5962
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/issues/5964
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.