CVE-2026-54512: CWE-184: Incomplete List of Disallowed Inputs in FasterXML jackson-databind
A vulnerability in jackson-databind's polymorphic deserialization allows bypassing the configured PolymorphicTypeValidator (PTV) allow-list when generic type parameters are used. This occurs because only the raw container class name is validated, not the nested generic type arguments. An attacker controlling the type ID can specify a denied class as a generic parameter within an allowed container, leading to unsafe deserialization and potential remote code execution. This issue affects versions from 2.10.0 up to but not including 2.18.8, 2.21.4, and 3.1.4, where it is fixed.
AI Analysis
Technical Summary
jackson-databind versions 2.10.0 through versions prior to 2.18.8, 2.21.4, and 3.1.4 contain a deserialization vulnerability due to incomplete validation of generic type parameters in polymorphic type identifiers. The PolymorphicTypeValidator (PTV) only validates the raw container class name before the generic parameter delimiter '<', allowing an attacker to embed a disallowed class as a generic parameter inside an allowed container type. This bypasses the PTV allow-list and results in the instantiation and population of attacker-controlled classes during deserialization, leading to high impact security risks. The vulnerability is addressed in jackson-databind versions 2.18.8, 2.21.4, and 3.1.4.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass the PolymorphicTypeValidator allow-list and cause the deserialization of arbitrary classes, potentially leading to remote code execution, complete confidentiality, integrity, and availability compromise of the affected system. The CVSS 3.1 score is 8.1 (High), reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in jackson-databind versions 2.18.8, 2.21.4, and 3.1.4. Users should upgrade to one of these versions or later to remediate the issue. No official patch or temporary fix is indicated beyond upgrading. Until upgraded, avoid enabling polymorphic typing with untrusted input or restrict deserialization to trusted types only.
CVE-2026-54512: CWE-184: Incomplete List of Disallowed Inputs in FasterXML jackson-databind
Description
A vulnerability in jackson-databind's polymorphic deserialization allows bypassing the configured PolymorphicTypeValidator (PTV) allow-list when generic type parameters are used. This occurs because only the raw container class name is validated, not the nested generic type arguments. An attacker controlling the type ID can specify a denied class as a generic parameter within an allowed container, leading to unsafe deserialization and potential remote code execution. This issue affects versions from 2.10.0 up to but not including 2.18.8, 2.21.4, and 3.1.4, where it is fixed.
CVSS v3.1
Score 8.1high
Affected software
pkg:maven/com.fasterxml.jackson.core/jackson-databindRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
jackson-databind versions 2.10.0 through versions prior to 2.18.8, 2.21.4, and 3.1.4 contain a deserialization vulnerability due to incomplete validation of generic type parameters in polymorphic type identifiers. The PolymorphicTypeValidator (PTV) only validates the raw container class name before the generic parameter delimiter '<', allowing an attacker to embed a disallowed class as a generic parameter inside an allowed container type. This bypasses the PTV allow-list and results in the instantiation and population of attacker-controlled classes during deserialization, leading to high impact security risks. The vulnerability is addressed in jackson-databind versions 2.18.8, 2.21.4, and 3.1.4.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass the PolymorphicTypeValidator allow-list and cause the deserialization of arbitrary classes, potentially leading to remote code execution, complete confidentiality, integrity, and availability compromise of the affected system. The CVSS 3.1 score is 8.1 (High), reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in jackson-databind versions 2.18.8, 2.21.4, and 3.1.4. Users should upgrade to one of these versions or later to remediate the issue. No official patch or temporary fix is indicated beyond upgrading. Until upgraded, avoid enabling polymorphic typing with untrusted input or restrict deserialization to trusted types only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T18:01:15.513Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3af602eed863c81e9ec628
Added to database: 06/23/2026, 21:09:22 UTC
Last enriched: 06/23/2026, 21:24:14 UTC
Last updated: 06/23/2026, 23:08:38 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.