Data Binding Vulnerability in Jackson Databind by FasterXML
CVE-2026-54516

5.3MEDIUM

Key Information:

Vendor

Fasterxml

Status
Jackson-databind
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54516?

The Jackson Databind library contains a vulnerability in the POJOPropertiesCollector._renameProperties() method. This issue allows an attacker to exploit JSON deserialization processes by utilizing a property with a @JsonProperty annotation on the getter and a @JsonIgnore annotation on the setter. When MapperFeature.INFER_PROPERTY_MUTATORS is enabled by default, this leads to the retention of the private backing field. Thus, an attacker can supply a renamed JSON key, which enables them to directly write to the backing field, circumventing the @JsonIgnore protection on the setter. The issue has been addressed in version 3.1.4.

Affected Version(s)

jackson-databind >= 2.21.0, < 2.21.4 < 2.21.0, 2.21.4

jackson-databind >= 3.0.0, < 3.1.4 < 3.0.0, 3.1.4

References

https://github.com/FasterXML/jackson-databind/security/ad...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/pull/5967
x_refsource_MISC
https://github.com/FasterXML/jackson-databind/pull/5968
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.