Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-54512 (GCVE-0-2026-54512)
Vulnerability from cvelistv5 – Published: 2026-06-23 20:56 – Updated: 2026-06-24 15:22| URL | Tags |
|---|---|
| https://github.com/FasterXML/jackson-databind/sec… | x_refsource_CONFIRM |
| https://github.com/FasterXML/jackson-databind/iss… | x_refsource_MISC |
| https://github.com/FasterXML/jackson-databind/com… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| FasterXML | jackson-databind |
Affected:
>= 2.10.0, < 2.18.8
Affected: >= 2.19.0, < 2.21.4 Affected: >= 3.0.0, < 3.1.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:54:06.511108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T15:22:43.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \u2014 for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T20:56:36.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/5988",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/5988"
},
{
"name": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
}
],
"source": {
"advisory": "GHSA-j3rv-43j4-c7qm",
"discovery": "UNKNOWN"
},
"title": "jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54512",
"datePublished": "2026-06-23T20:56:36.646Z",
"dateReserved": "2026-06-15T18:01:15.513Z",
"dateUpdated": "2026-06-24T15:22:43.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-54512",
"date": "2026-07-14",
"epss": "0.00617",
"percentile": "0.45424"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-54512\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-23T21:17:02.203\",\"lastModified\":\"2026-06-27T21:01:36.470\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \u2014 for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"FasterXML\",\"product\":\"jackson-databind\",\"versions\":[{\"version\":\"\u003e= 2.10.0, \u003c 2.18.8\",\"status\":\"affected\"},{\"version\":\"\u003e= 2.19.0, \u003c 2.21.4\",\"status\":\"affected\"},{\"version\":\"\u003e= 3.0.0, \u003c 3.1.4\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-24T14:54:06.511108Z\",\"id\":\"CVE-2026-54512\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.10.0\",\"versionEndExcluding\":\"2.18.8\",\"matchCriteriaId\":\"925984A4-A2EF-4681-804A-F830B33D6876\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.19.0\",\"versionEndExcluding\":\"2.21.4\",\"matchCriteriaId\":\"59601D96-4AB4-4B53-8DEC-305A6D442E6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.1.4\",\"matchCriteriaId\":\"5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C\"}]}]}],\"references\":[{\"url\":\"https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/issues/5988\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-14T13:36:09+00:00",
"cve": "CVE-2026-54512",
"id": "CVE-2026-54512",
"initial_release_date": "2026-06-23T20:56:36.646000+00:00",
"product_status:fixed": "1",
"product_status:known_affected": "87",
"product_status:known_not_affected": "78",
"product_status:under_investigation": "3",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54512.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54512\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T14:54:06.511108Z\"}}}], \"references\": [{\"url\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T15:22:13.376Z\"}}], \"cna\": {\"title\": \"jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation\", \"source\": {\"advisory\": \"GHSA-j3rv-43j4-c7qm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FasterXML\", \"product\": \"jackson-databind\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.10.0, \u003c 2.18.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.19.0, \u003c 2.21.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.1.4\"}]}], \"references\": [{\"url\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm\", \"name\": \"https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/issues/5988\", \"name\": \"https://github.com/FasterXML/jackson-databind/issues/5988\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5\", \"name\": \"https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \\u2014 for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T20:56:36.646Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-54512\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T15:22:43.268Z\", \"dateReserved\": \"2026-06-15T18:01:15.513Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T20:56:36.646Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-54512
Vulnerability from fkie_nvd - Published: 2026-06-23 21:17 - Updated: 2026-06-27 21:01| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * |
{
"affected": [
{
"affectedData": [
{
"product": "jackson-databind",
"vendor": "FasterXML",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.18.8"
},
{
"status": "affected",
"version": "\u003e= 2.19.0, \u003c 2.21.4"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.4"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "925984A4-A2EF-4681-804A-F830B33D6876",
"versionEndExcluding": "2.18.8",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "59601D96-4AB4-4B53-8DEC-305A6D442E6E",
"versionEndExcluding": "2.21.4",
"versionStartIncluding": "2.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C0F99DE-1DB7-4873-83F9-6CEF8E91F33C",
"versionEndExcluding": "3.1.4",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \u2014 for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."
}
],
"id": "CVE-2026-54512",
"lastModified": "2026-06-27T21:01:36.470",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-54512",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T14:54:06.511108Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-23T21:17:02.203",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/5988"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-184"
},
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-J3RV-43J4-C7QM
Vulnerability from github – Published: 2026-06-23 21:21 – Updated: 2026-06-23 21:21jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV.
If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.
An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.
This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.
Impact
- Bypass of the PTV allow-list, including the recommended
BasicPolymorphicTypeValidatorconfigured with name-prefix allow rules. - Arbitrary class instantiation of any type assignable to the container's element/parameter position, with attacker-controlled property values (setter/field injection).
- Potential unauthenticated remote code execution when a class with exploitable side effects (JNDI lookup, JDBC/connection-pool gadgets,
TemplatesImpl-style loaders, etc.) is present on the classpath.
Applications that accept untrusted JSON and rely on a configured PTV — the documented, security-conscious configuration — are affected.
Proof of Concept
Configuration restricting polymorphic deserialization to a single safe container:
BasicPolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
.allowIfSubType("java.util.ArrayList")
.build();
ObjectMapper mapper = JsonMapper.builder()
.polymorphicTypeValidator(ptv)
.build();
Malicious payload (Wrapper.value is Object with @JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)):
{"value":["java.util.ArrayList<com.evil.EvilGadget>",[{"cmd":"calc.exe"}]]}
On vulnerable versions, com.evil.EvilGadget is instantiated and its cmd property is set, despite only java.util.ArrayList being allow-listed. On 2.18.8 / 2.21.4 / 3.1.4 the deserialization throws InvalidTypeIdException before instantiation.
Variant payloads (all bypass an ArrayList/HashMap allow-list):
| Type ID | Smuggled type position |
|---|---|
java.util.ArrayList<Evil> |
list element |
java.util.HashMap<Evil,String> |
map key |
java.util.HashMap<String,Evil> |
map value |
java.util.ArrayList<java.util.ArrayList<Evil>> |
nested element |
java.util.ArrayList<Evil[]> |
array element |
Patches
Fixed in 2.18.8, 2.21.4 and 3.1.4 via the changes for FasterXML/jackson-databind#5988, commit 434d6c511. The fix adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions for Object (wildcard resolution) and Enum types.
PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.18.7"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.18.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.21.3"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.19.0"
},
{
"fixed": "2.21.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3"
},
"package": {
"ecosystem": "Maven",
"name": "tools.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54512"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T21:21:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "`jackson-databind`\u0027s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `\u003c`), `DatabindContext._resolveAndValidateGeneric()` validates **only the raw container class name** (the substring before `\u003c`) against the configured PTV.\n\nIf the container type is approved, the method parses the full canonical type string via `TypeFactory.constructFromCanonical()` and returns the fully parameterized type **without ever validating the nested type arguments** against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.\n\nAn attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \u2014 for example `java.util.ArrayList\u003ccom.evil.Gadget\u003e` when only `java.util.ArrayList` is allow-listed. The container passes the PTV check; `com.evil.Gadget` is loaded via `Class.forName(name, true, loader)`, instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.\n\nThis is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.\n\n\n## Impact\n\n- **Bypass of the PTV allow-list**, including the recommended `BasicPolymorphicTypeValidator` configured with name-prefix allow rules.\n- **Arbitrary class instantiation** of any type assignable to the container\u0027s element/parameter position, with attacker-controlled property values (setter/field injection).\n- **Potential unauthenticated remote code execution** when a class with exploitable side effects (JNDI lookup, JDBC/connection-pool gadgets,`TemplatesImpl`-style loaders, etc.) is present on the classpath.\n\nApplications that accept untrusted JSON and rely on a configured PTV \u2014 the documented, security-conscious configuration \u2014 are affected.\n\n\n## Proof of Concept\n\nConfiguration restricting polymorphic deserialization to a single safe container:\n\n```java\nBasicPolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()\n .allowIfSubType(\"java.util.ArrayList\")\n .build();\n\nObjectMapper mapper = JsonMapper.builder()\n .polymorphicTypeValidator(ptv)\n .build();\n```\n\nMalicious payload (`Wrapper.value` is `Object` with `@JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)`):\n\n```json\n{\"value\":[\"java.util.ArrayList\u003ccom.evil.EvilGadget\u003e\",[{\"cmd\":\"calc.exe\"}]]}\n```\n\nOn vulnerable versions, `com.evil.EvilGadget` is instantiated and its `cmd` property is set, despite only `java.util.ArrayList` being allow-listed. On `2.18.8` / `2.21.4` / `3.1.4` the deserialization throws `InvalidTypeIdException` before instantiation.\n\n**Variant payloads** (all bypass an `ArrayList`/`HashMap` allow-list):\n\n| Type ID | Smuggled type position |\n|---|---|\n| `java.util.ArrayList\u003cEvil\u003e` | list element |\n| `java.util.HashMap\u003cEvil,String\u003e` | map key |\n| `java.util.HashMap\u003cString,Evil\u003e` | map value |\n| `java.util.ArrayList\u003cjava.util.ArrayList\u003cEvil\u003e\u003e` | nested element |\n| `java.util.ArrayList\u003cEvil[]\u003e` | array element |\n\n---\n\n## Patches\n\nFixed in **2.18.8**, **2.21.4** and **3.1.4** via the changes for [FasterXML/jackson-databind#5988](https://github.com/FasterXML/jackson-databind/issues/5988), commit `434d6c511`. The fix adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions for `Object` (wildcard resolution) and `Enum` types.\n\n`PolymorphicTypeValidator` was added in 2.10.0 so vulnerability N/A for versions prior to that.",
"id": "GHSA-j3rv-43j4-c7qm",
"modified": "2026-06-23T21:21:38Z",
"published": "2026-06-23T21:21:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/5988"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation"
}
OPENSUSE-SU-2026:11132-1
Vulnerability from csaf_opensuse - Published: 2026-06-27 00:00 - Updated: 2026-06-27 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.x86_64 | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jackson-databind-2.18.8-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jackson-databind-2.18.8-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11132",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11132-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54512 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54512/"
}
],
"title": "jackson-databind-2.18.8-2.1 on GA media",
"tracking": {
"current_release_date": "2026-06-27T00:00:00Z",
"generator": {
"date": "2026-06-27T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11132-1",
"initial_release_date": "2026-06-27T00:00:00Z",
"revision_history": [
{
"date": "2026-06-27T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-2.1.aarch64",
"product": {
"name": "jackson-databind-2.18.8-2.1.aarch64",
"product_id": "jackson-databind-2.18.8-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-2.1.aarch64",
"product": {
"name": "jackson-databind-javadoc-2.18.8-2.1.aarch64",
"product_id": "jackson-databind-javadoc-2.18.8-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-2.1.ppc64le",
"product": {
"name": "jackson-databind-2.18.8-2.1.ppc64le",
"product_id": "jackson-databind-2.18.8-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"product": {
"name": "jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"product_id": "jackson-databind-javadoc-2.18.8-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-2.1.s390x",
"product": {
"name": "jackson-databind-2.18.8-2.1.s390x",
"product_id": "jackson-databind-2.18.8-2.1.s390x"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-2.1.s390x",
"product": {
"name": "jackson-databind-javadoc-2.18.8-2.1.s390x",
"product_id": "jackson-databind-javadoc-2.18.8-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jackson-databind-2.18.8-2.1.x86_64",
"product": {
"name": "jackson-databind-2.18.8-2.1.x86_64",
"product_id": "jackson-databind-2.18.8-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-2.1.x86_64",
"product": {
"name": "jackson-databind-javadoc-2.18.8-2.1.x86_64",
"product_id": "jackson-databind-javadoc-2.18.8-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.aarch64"
},
"product_reference": "jackson-databind-2.18.8-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.ppc64le"
},
"product_reference": "jackson-databind-2.18.8-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.s390x"
},
"product_reference": "jackson-databind-2.18.8-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.x86_64"
},
"product_reference": "jackson-databind-2.18.8-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.aarch64"
},
"product_reference": "jackson-databind-javadoc-2.18.8-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.ppc64le"
},
"product_reference": "jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.s390x"
},
"product_reference": "jackson-databind-javadoc-2.18.8-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.x86_64"
},
"product_reference": "jackson-databind-javadoc-2.18.8-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-54512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54512"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container - for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54512",
"url": "https://www.suse.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "SUSE Bug 1268897 for CVE-2026-54512",
"url": "https://bugzilla.suse.com/1268897"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-2.18.8-2.1.x86_64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.aarch64",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.ppc64le",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.s390x",
"openSUSE Tumbleweed:jackson-databind-javadoc-2.18.8-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-27T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-54512"
}
]
}
RHSA-2026:36839
Vulnerability from csaf_redhat - Published: 2026-07-08 18:28 - Updated: 2026-07-14 13:36A flaw was found in Micrometer. A remote attacker can provide specially crafted gRPC (gRPC Remote Procedure Call) requests, which may lead to a denial-of-service (DoS) condition. This vulnerability allows an attacker to disrupt the availability of the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_quarkus:3.33
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Micrometer. A remote attacker can provide specially crafted HTTP requests, which may lead to a denial-of-service (DoS) condition. This vulnerability allows an attacker to disrupt the availability of the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_quarkus:3.33
|
— |
Vendor Fix
fix
|
A flaw was found in Apache CXF. The EndpointReferenceUtils and W3CMultiSchemaFactory classes within Apache CXF construct a SAXParserFactory without proper security configurations. This oversight enables out-of-band (OOB) external entity resolution, a type of XML External Entity (XXE) vulnerability. A remote attacker could exploit this to disclose sensitive information from the affected system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_quarkus:3.33
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass the PolymorphicTypeValidator (PTV) when polymorphic typing is enabled and a type identifier contains generic parameters. By crafting a malicious type ID, an attacker can place a denied class as a generic type parameter of an allowed container. This leads to the loading and instantiation of arbitrary classes, potentially resulting in arbitrary code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_quarkus:3.33
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Red Hat / Red Hat Build of Apache Camel
|
cpe:/a:redhat:apache_camel_quarkus:3.33
|
— |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.2.SP2).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Important.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.2.SP2).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution [rhboac-camel-quarkus-3] (CVE-2026-54513)\n* jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass [rhboac-camel-quarkus-3] (CVE-2026-54512)\n* micrometer-core: Micrometer: Denial of Service via specially crafted gRPC requests [rhboac-camel-quarkus-3] (CVE-2026-40983)\n* micrometer-core: Micrometer: Denial of Service via specially crafted HTTP requests [rhboac-camel-quarkus-3] (CVE-2026-40984)\n* cxf-core: Apache CXF: Information disclosure via out-of-band external entity resolution due to missing JAXP hardening [rhboac-camel-quarkus-3] (CVE-2026-49875)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:36839",
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-54513",
"url": "https://access.redhat.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-54512",
"url": "https://access.redhat.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40983",
"url": "https://access.redhat.com/security/cve/CVE-2026-40983"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40984",
"url": "https://access.redhat.com/security/cve/CVE-2026-40984"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-49875",
"url": "https://access.redhat.com/security/cve/CVE-2026-49875"
},
{
"category": "external",
"summary": "2486697",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486697"
},
{
"category": "external",
"summary": "2486716",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486716"
},
{
"category": "external",
"summary": "2488309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488309"
},
{
"category": "external",
"summary": "2492010",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492010"
},
{
"category": "external",
"summary": "2492015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492015"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36839.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 update is now available (RHBQ 3.33.2.SP2)",
"tracking": {
"current_release_date": "2026-07-14T13:36:13+00:00",
"generator": {
"date": "2026-07-14T13:36:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.2"
}
},
"id": "RHSA-2026:36839",
"initial_release_date": "2026-07-08T18:28:22+00:00",
"revision_history": [
{
"date": "2026-07-08T18:28:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-08T18:28:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-14T13:36:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
"product": {
"name": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
"product_id": "Red Hat Build of Apache Camel 4.18 for Quarkus 3.33",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:apache_camel_quarkus:3.33"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-40983",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-09T05:00:52.290020+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2486697"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Micrometer. A remote attacker can provide specially crafted gRPC (gRPC Remote Procedure Call) requests, which may lead to a denial-of-service (DoS) condition. This vulnerability allows an attacker to disrupt the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "micrometer: micrometer-core: Micrometer: Denial of Service via specially crafted gRPC requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial-of-service vulnerability in Micrometer, as a remote unauthenticated attacker can disrupt the availability of affected systems by sending specially crafted gRPC requests. The broad accessibility of gRPC endpoints in typical deployments contributes to the elevated risk, allowing for significant service interruption.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40983"
},
{
"category": "external",
"summary": "RHBZ#2486697",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486697"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40983",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40983"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40983",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40983"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-40983",
"url": "https://spring.io/security/cve-2026-40983"
}
],
"release_date": "2026-06-09T03:46:54.131000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T18:28:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to services exposing Micrometer\u0027s gRPC endpoints to trusted clients only. Implement firewall rules to limit inbound connections to the specific ports used by gRPC. If gRPC functionality is not essential for the deployment, consider disabling it entirely to eliminate the attack vector. Any changes to network configurations or service settings may require a service restart to take effect, potentially impacting availability during the transition.",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "micrometer: micrometer-core: Micrometer: Denial of Service via specially crafted gRPC requests"
},
{
"cve": "CVE-2026-40984",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-09T05:01:51.700197+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2486716"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Micrometer. A remote attacker can provide specially crafted HTTP requests, which may lead to a denial-of-service (DoS) condition. This vulnerability allows an attacker to disrupt the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "micrometer-core: micrometer-jetty11: micrometer-jetty12: Micrometer: Denial of Service via specially crafted HTTP requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial-of-service vulnerability in Micrometer, a component present in several Red Hat products. A remote, unauthenticated attacker can exploit this flaw by sending specially crafted HTTP requests, leading to resource exhaustion and disrupting the availability of affected services. Exploitation of this flaw requires one or more HTTP server instrumentation(s), from one of the vulnerable components, to be configured to record metrics.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40984"
},
{
"category": "external",
"summary": "RHBZ#2486716",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486716"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40984",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40984"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40984",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40984"
},
{
"category": "external",
"summary": "https://spring.io/security/cve-2026-40984",
"url": "https://spring.io/security/cve-2026-40984"
}
],
"release_date": "2026-06-09T03:47:46.447000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T18:28:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "micrometer-core: micrometer-jetty11: micrometer-jetty12: Micrometer: Denial of Service via specially crafted HTTP requests"
},
{
"cve": "CVE-2026-49875",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2026-06-12T10:01:23.698724+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2488309"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache CXF. The EndpointReferenceUtils and W3CMultiSchemaFactory classes within Apache CXF construct a SAXParserFactory without proper security configurations. This oversight enables out-of-band (OOB) external entity resolution, a type of XML External Entity (XXE) vulnerability. A remote attacker could exploit this to disclose sensitive information from the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: org.apache.cxf/cxf-core: Apache CXF: Information disclosure via out-of-band external entity resolution due to missing JAXP hardening",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important information disclosure vulnerability in Apache CXF, affecting Red Hat products that bundle the component, such as Enterprise Application Platform, JBoss Web Server, and Red Hat Single Sign-On. The flaw allows a remote attacker to disclose sensitive information due to improper XML parsing configurations, which can be exploited without user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-49875"
},
{
"category": "external",
"summary": "RHBZ#2488309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488309"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-49875",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49875"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-49875",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49875"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2026/06/11/2",
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/2"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o",
"url": "https://lists.apache.org/thread/3kb9w5bg90xcp06fccoz9k3gpsvyy79o"
}
],
"release_date": "2026-06-12T08:54:50.103000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T18:28:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cxf: org.apache.cxf/cxf-core: Apache CXF: Information disclosure via out-of-band external entity resolution due to missing JAXP hardening"
},
{
"cve": "CVE-2026-54512",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2026-06-23T22:01:49.821346+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2492015"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind. This vulnerability allows a remote attacker to bypass the PolymorphicTypeValidator (PTV) when polymorphic typing is enabled and a type identifier contains generic parameters. By crafting a malicious type ID, an attacker can place a denied class as a generic type parameter of an allowed container. This leads to the loading and instantiation of arbitrary classes, potentially resulting in arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in `jackson-databind` is rated as Important. While it describes a potential bypass of the PolymorphicTypeValidator leading to arbitrary code execution, exploitation requires an attacker to already possess administrative privileges, specifically the `manage-realm` role. This flaw does not enable privilege escalation, as it does not grant additional capabilities beyond those inherently available to an existing administrator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "RHBZ#2492015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-54512",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-54512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-54512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54512"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5",
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/issues/5988",
"url": "https://github.com/FasterXML/jackson-databind/issues/5988"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm",
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
}
],
"release_date": "2026-06-23T20:56:36.646000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T18:28:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass"
},
{
"cve": "CVE-2026-54513",
"cwe": {
"id": "CWE-184",
"name": "Incomplete List of Disallowed Inputs"
},
"discovery_date": "2026-06-23T22:01:34.437620+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2492010"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in `jackson-databind` allows for a security bypass, enabling arbitrary code execution. The vulnerability arises from insufficient validation of array component types by `BasicPolymorphicTypeValidator`, which permits deserialization of unallowlisted types when processing untrusted input. This bypass of type validation can lead to a complete system compromise, affecting confidentiality, integrity, and availability in Red Hat products utilizing `jackson-databind` for data processing.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "RHBZ#2492010",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492010"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-54513",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-54513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-54513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54513"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5",
"url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e",
"url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/issues/5981",
"url": "https://github.com/FasterXML/jackson-databind/issues/5981"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/issues/5983",
"url": "https://github.com/FasterXML/jackson-databind/issues/5983"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/pull/5984",
"url": "https://github.com/FasterXML/jackson-databind/pull/5984"
},
{
"category": "external",
"summary": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f",
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"
}
],
"release_date": "2026-06-23T20:53:52.543000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-08T18:28:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:36839"
},
{
"category": "workaround",
"details": "Upgrade to version 2.18.8, 2.21.4, or 3.1.4 or later to address this vulnerability. If upgrading is not immediately possible, remove BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() from the application\u2019s ObjectMapper configuration to eliminate the affected deserialization path. Rebuild and restart the application to apply the configuration change.\n\nAs an additional mitigation, disable polymorphic deserialization of untrusted data where possible by avoiding or removing default typing features such as activateDefaultTyping() or enableDefaultTyping(). When polymorphic deserialization is required, restrict allowed subtypes using a strict whitelist of trusted application packages and avoid broad or permissive type validation rules.",
"product_ids": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Build of Apache Camel 4.18 for Quarkus 3.33"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution"
}
]
}
SUSE-SU-2026:22504-1
Vulnerability from csaf_suse - Published: 2026-07-01 08:56 - Updated: 2026-07-01 08:56| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jackson-annotations, jackson-core, jackson-databind",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues\n\n- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows\n arbitrary class instantiation (bsc#1268897).\n- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).\n- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).\n- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties\n (bsc#1268902).\n- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).\n\nChanges for jackson-annotations:\n\n- Update to 2.18.8\n * No changes since 2.17.3\n\nChanges for jackson-core:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #1611: Apply number-length validator on streaming integer path\n of async parser\n * Changes of 2.18.7\n + #1570: Fail parsing from \u0027DataInput\u0027 if \u0027StreamReadConstraints\n .getMaxDocumentLength()\u0027 set\n (bsc#1268603, GHSA-2m67-wjpj-xhg9)\n + #1600: Rework 3rd party licenses in jar\n + #1602: \u0027UTF8DataInputJsonParser\u0027 needs to enforce\n \u0027StreamReadConstraints.maxNameLength\u0027 limit\n * Changes of 2.18.6\n + #1512: Number-parsing fix for \u0027UTF8DataInputJsonParser\u0027\n + #1548: \u0027StreamReadConstraints.maxDocumentLength\u0027 not checked\n when creating parser with fixed buffer\n + #1555: Enforce \u0027StreamReadConstraints.maxNumberLength\u0027 for\n non-blocking (async) parser\n * Changes of 2.18.5\n + #1433: \u0027JsonParser#getNumberType()\u0027 throws\n \u0027JsonParseException\u0027 when the current token is non-numeric\n instead of returning null\n + #1446: Invalid package reference to \"java.lang.foreign\" from\n \u0027com.fasterxml.jackson.core:jackson-core\u0027 (from\n \u0027FastDoubleParser\u0027)\n * Changes of 2.18.3\n + #1391: Fix issue where the parser can read back old number\n state when parsing later numbers\n + #1397: Jackson changes additional values to infinite in case\n of special JSON structures and existing infinite values\n + #1398: Fix issue that feature\n COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn\u0027t work when custom\n characterEscape is used\n * Changes of 2.18.2\n + #1359: Non-surrogate characters being incorrectly combined\n when \u0027JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8\u0027 is\n enabled\n * Changes of 2.18.1\n + #1353: Use fastdoubleparser 1.0.90\n * Changes of 2.18.\n + #223: \u0027UTF8JsonGenerator\u0027 writes supplementary characters as a\n surrogate pair: should use 4-byte encoding\n + #1230: Improve performance of \u0027float\u0027 and \u0027double\u0027 parsing\n from \u0027TextBuffer\u0027\n + #1251: \u0027InternCache\u0027 replace synchronized with \u0027ReentrantLock\u0027\n - the cache size limit is no longer strictly enforced for\n performance reasons but we should never go far about the limit\n + #1252: \u0027ThreadLocalBufferManager\u0027 replace synchronized with\n \u0027ReentrantLock\u0027\n + #1257: Increase InternCache default max size from 100 to 200\n + #1262: Add diagnostic method \u0027pooledCount()\u0027 in \u0027RecyclerPool\u0027\n + #1264: Rename shaded \u0027ch.randelshofer:fastdoubleparser\u0027\n classes to prevent use by downstream consumers\n + #1271: Deprecate \u0027LockFreePool\u0027 implementation in 2.18 (remove\n from 3.0)\n + #1274: \u0027NUL\u0027-corrupted keys, values on JSON serialization\n + #1277: Add back Java 22 optimisation in FastDoubleParser\n + #1284: Optimize \u0027JsonParser.getDoubleValue()/getFloatValue()\n /getDecimalValue()\u0027 to avoid String allocation\n + #1305: Make helper methods of \u0027WriterBasedJsonGenerator\u0027\n non-final to allow overriding\n + #1310: Add new \u0027StreamReadConstraints\u0027 (\u0027maxTokenCount\u0027) to\n limit maximum number of Tokens allowed per document#\n + #1331: Update to FastDoubleParser v1.0.1 to fix \u0027BigDecimal\u0027\n decoding proble\n\nChanges for jackson-databind:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #5950: Improve \u0027UUIDeserializer\u0027 error handling\n + #5951: Improve \u0027InetSocketAddress\u0027 deserialization\n (bsc#1268899, CVE-2026-54514)\n + #5969: \u0027@JsonView\u0027 by-passed for some \"setterless\" creator\n properties\n + #5971: \u0027@JsonView\u0027 by-passed for unwrapped creator parameters\n + #5974: \u0027@JsonIgnore\u0027 on Record property ignored with\n \u0027PropertyNamingStrategy\u0027\n + #5981: \u0027BasicPolymorphicTypeValidator\u0027 setting\n \u0027allowIfSubTypeIsArray()\u0027 should validate element type\n (bsc#1268898, CVE-2026-54513)\n + #5988: \u0027PolymorphicTypeValidator\u0027 needs to validate generic\n type parameters too (bsc#1268897, CVE-2026-54512)\n + #5993: \u0027UPPER_SNAKE_CASE\u0027 / \u0027LOWER_CASE\u0027 \u0027NamingStrategyImpls\u0027\n fold case using JVM default locale (Turkish-I bug)\n * Changes of 2.18.4\n + #4628: \u0027@JsonIgnore\u0027 and \u0027@JsonProperty.access=READ_ONLY\u0027 on\n Record property ignored for deserialization\n + #5049: Duplicate creator property \"b\" (index 0 vs 1) on simple\n java record\n * Changes of 2.18.3\n + #4444: The \u0027KeyDeserializer\u0027 specified in the class with\n \u0027@JsonDeserialize(keyUsing = ...)\u0027 is overwritten by the\n \u0027KeyDeserializer\u0027 specified in the \u0027ObjectMapper\u0027.\n + #4827: Subclassed Throwable deserialization fails since\n v2.18.0 - no creator index for property \u0027cause\u0027\n + #4844: Fix wrapped array handling wrt \u0027null\u0027 by\n \u0027StdDeserializer\u0027\n + #4848: Avoid type pollution in \u0027StringCollectionDeserializer\u0027\n + #4860: \u0027ConstructorDetector.USE_PROPERTIES_BASED\u0027 does not\n work with multiple constructors since 2.18\n + #4878: When serializing a Map via\n Converter(StdDelegatingSerializer), a NullPointerException is\n thrown due to missing key serializer\n + #4908: Deserialization behavior change with @JsonCreator and\n @ConstructorProperties between 2.17 and 2.18\n + #4917: \u0027BigDecimal\u0027 deserialization issue when using\n \u0027@JsonCreator\u0027\n + #4920: Creator properties are ignored on abstract types when\n collecting bean properties, breaking AsExternalTypeDeserializer\n + #4922: Failing \u0027@JsonMerge\u0027 with a custom Map\n + #4932: Conversion of \u0027MissingNode\u0027 throws\n \u0027JsonProcessingException\u0027\n * Changes of 2.18.2\n + #4733: Wrong serialization of Type Ids for certain types of\n Enum values\n + #4742: Deserialization with Builder, External type id,\n \u0027@JsonCreator\u0027 failing\n + #4777: \u0027StdValueInstantiator.withArgsCreator\u0027 is now set for\n creators with no arguments\n + #4783 Possibly wrong behavior of @JsonMerge\n + #4787: Wrong \u0027String.format()\u0027 in \u0027StdDelegatingDeserializer\u0027\n hides actual error\n + #4788: \u0027EnumFeature.WRITE_ENUMS_TO_LOWERCASE\u0027 overrides\n \u0027@JsonProperty\u0027 values\n + #4790: Fix \u0027@JsonAnySetter\u0027 issue with \"setter\" method\n (related to #4639)\n + #4807: Improve \u0027FactoryBasedEnumDeserializer\u0027 to work better\n with XML module\n + #4810: Deserialization using \u0027@JsonCreator\u0027 with renamed\n property failing (since 2.18)\n * Changes of 2.18.1\n + #4508: Deserialized JsonAnySetter field in Kotlin data class\n is null\n + #4639: @JsonAnySetter on field ignoring unrecognized\n properties if they are declared before the last recognized\n properties in JSON\n + #4718: Should not fail on trying to serialize\n \u0027java.time.DateTimeException\u0027\n + #4724: Deserialization behavior change with Records,\n \u0027@JsonCreator\u0027 and \u0027@JsonValue\u0027 between 2.17 and 2.18\n + #4727: Eclipse having issues due\u0027module-info\u0027 class \"lost\" on\n 2.18.0 jars\n + #4741: When \u0027Include.NON_DEFAULT\u0027 setting is used on POJO,\n empty values are not included in json if default is \u0027null\u0027\n + #4749: Fixed a problem with\n \u0027StdDelegatingSerializer#serializeWithType\u0027 looking up the\n serializer with the wrong argument\n * Changes of 2.18.0\n + #562: Allow \u0027@JsonAnySetter\u0027 to flow through Creators\n + #806: Problem with \u0027NamingStrategy\u0027, creator methods with\n implicit names\n + #2977: Incompatible \u0027FAIL_ON_MISSING_PRIMITIVE_PROPERTIES\u0027 and\n field level \u0027@JsonProperty\u0027\n + #3120: Return \u0027ListIterator\u0027 from \u0027ArrayNode.elements()\u0027\n + #3241: \u0027constructorDetector\u0027 seems to invalidate\n \u0027defaultSetterInfo\u0027 for nullability\n + #3439: Java Record \u0027@JsonAnySetter\u0027 value is null after\n deserialization\n + #4085: \u0027@JsonView\u0027 does not work on class-level for records\n + #4119: Exception when deserialization uses a record with a\n constructor property with \u0027access=READ_ONLY\u0027\n + #4356: \u0027BeanDeserializerModifier::updateBuilder()\u0027 doesn\u0027t\n work for beans with Creator methods\n + #4407: \u0027null\u0027 type id handling does not work with\n \u0027writeTypePrefix()\u0027\n + #4452: \u0027@JsonProperty\u0027 not serializing field names properly on\n \u0027@JsonCreator\u0027 in Record\n + #4453: Allow JSON Integer to deserialize into a single-arg\n constructor of parameter type \u0027double\u0027\n + #4456: Rework locking in \u0027DeserializerCache\u0027\n + #4458: Rework synchronized block from \u0027BeanDeserializerBase\u0027\n + #4464: When \u0027Include.NON_DEFAULT\u0027 setting is used, \u0027isEmpty()\u0027\n method is not called on the serializer\n + #4472: Rework synchronized block in \u0027TypeDeserializerBase\u0027\n + #4483: Remove \u0027final\u0027 on method BeanSerializer.serialize()\n + #4515: Rewrite Bean Property Introspection logic in Jackson\n 2.x\n + #4545: Unexpected deserialization behavior with\n \u0027@JsonCreator\u0027, \u0027@JsonProperty\u0027 and javac \u0027-parameters\u0027\n + #4570: Deprecate \u0027ObjectMapper.canDeserialize()\u0027/\u0027ObjectMapper\n .canSerialize()\u0027\n + #4580: Add \u0027MapperFeature\n .SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER\u0027 to use Creator\n properties\u0027 declaration order for sorting\n + #4584: Provide extension point for detecting \"primary\"\n Constructor for Kotlin (and similar) data classes\n + #4602: Possible wrong use of _arrayDelegateDeserializer in\n BeanDeserializerBase::deserializeFromObjectUsingNonDefault()\n + #4617: Record property serialization order not preserved\n + #4626: \u0027@JsonIgnore\u0027 on Record property ignored for\n deserialization, if there is getter override\n + #4630: \u0027@JsonIncludeProperties\u0027, \u0027@JsonIgnoreProperties\u0027\n ignored when serializing Records, if there is getter override\n + #4634: \u0027@JsonAnySetter\u0027 not working when annotated on both\n constructor parameter \u0026 field\n + #4678: Java records don\u0027t serialize with \u0027MapperFeature\n .REQUIRE_SETTERS_FOR_GETTERS\u0027\n + #4688: Should allow deserializing with no-arg\n \u0027@JsonCreator(mode = DELEGATING)\u0027\n + #4694: Deserializing \u0027BigDecimal\u0027 with large number of\n decimals result in incorrect value\n + #4699: Add extra \u0027writeNumber()\u0027 method in \u0027TokenBuffer\u0027\n + #4709: Add \u0027JacksonCollectors\u0027 with \u0027toArrayNode()\u0027\n implementation\n + Fix #5962: Case-insensitive deserialization may use wrong\n @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-1124",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22504-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22504-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622504-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22504-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-July/048006.html"
},
{
"category": "self",
"summary": "SUSE Bug 1268603",
"url": "https://bugzilla.suse.com/1268603"
},
{
"category": "self",
"summary": "SUSE Bug 1268897",
"url": "https://bugzilla.suse.com/1268897"
},
{
"category": "self",
"summary": "SUSE Bug 1268898",
"url": "https://bugzilla.suse.com/1268898"
},
{
"category": "self",
"summary": "SUSE Bug 1268899",
"url": "https://bugzilla.suse.com/1268899"
},
{
"category": "self",
"summary": "SUSE Bug 1268902",
"url": "https://bugzilla.suse.com/1268902"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54512 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54513 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54514 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54515 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54515/"
}
],
"title": "Security update for jackson-annotations, jackson-core, jackson-databind",
"tracking": {
"current_release_date": "2026-07-01T08:56:00Z",
"generator": {
"date": "2026-07-01T08:56:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22504-1",
"initial_release_date": "2026-07-01T08:56:00Z",
"revision_history": [
{
"date": "2026-07-01T08:56:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-54512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54512"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container - for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54512",
"url": "https://www.suse.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "SUSE Bug 1268897 for CVE-2026-54512",
"url": "https://bugzilla.suse.com/1268897"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54512"
},
{
"cve": "CVE-2026-54513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54513"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54513",
"url": "https://www.suse.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "SUSE Bug 1268898 for CVE-2026-54513",
"url": "https://bugzilla.suse.com/1268898"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54513"
},
{
"cve": "CVE-2026-54514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54514"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54514",
"url": "https://www.suse.com/security/cve/CVE-2026-54514"
},
{
"category": "external",
"summary": "SUSE Bug 1268899 for CVE-2026-54514",
"url": "https://bugzilla.suse.com/1268899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54514"
},
{
"cve": "CVE-2026-54515",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54515"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54515",
"url": "https://www.suse.com/security/cve/CVE-2026-54515"
},
{
"category": "external",
"summary": "SUSE Bug 1268902 for CVE-2026-54515",
"url": "https://bugzilla.suse.com/1268902"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54515"
}
]
}
ubuntu-cve-2026-54512
Vulnerability from osv_ubuntu
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.2.2-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.2.2-1ubuntu0.1~esm1?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.2-1",
"2.2.2-1ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.4.2-3ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.4.2-3ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.2-2",
"2.4.2-3",
"2.4.2-3ubuntu0.1~esm1",
"2.4.2-3ubuntu0.1~esm2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.9.8-1~18.04"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.9.8-1~18.04?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.8.6-1",
"2.9.1-1",
"2.9.4-1",
"2.9.5-1",
"2.9.8-1~18.04"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.10.2-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.10.2-1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.9.9.3-1",
"2.10.0-2",
"2.10.1-1",
"2.10.2-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.13.0-2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.13.0-2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.12.1-1",
"2.12.5-1",
"2.13.0-1",
"2.13.0-2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.14.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.14.0-1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.14.0-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.14.0+ds-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.14.0+ds-1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.14.0+ds-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libjackson2-databind-java",
"binary_version": "2.14.0+ds-1build1"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jackson-databind",
"purl": "pkg:deb/ubuntu/jackson-databind@2.14.0+ds-1build1?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.14.0+ds-1",
"2.14.0+ds-1build1"
]
}
],
"aliases": [],
"details": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container \u2014 for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"id": "UBUNTU-CVE-2026-54512",
"modified": "2026-06-25T17:17:44Z",
"published": "2026-06-23T21:17:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-54512"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-54512"
},
{
"type": "REPORT",
"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"
},
{
"type": "REPORT",
"url": "https://github.com/FasterXML/jackson-databind/issues/5988"
},
{
"type": "REPORT",
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
},
{
"type": "REPORT",
"url": "https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-54512"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.