View all Vulnerabilities

CVE-2026-54512

Remote Code Execution
Affects
jackson-databind
in
Jackson
No items found.
Versions
>=2.10.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.

A Remote Code Execution (RCE) vulnerability (CVE-2026-54512) has been identified in jackson-databind, which allows attackers to smuggle a disallowed class past a PolymorphicTypeValidator (PTV) allow-list as a generic type argument and have it instantiated during deserialization. Because the smuggled class is then populated with attacker-controlled property values, an attacker with a suitable gadget on the classpath can escalate this to arbitrary code execution.

Per OWASP: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing an attacker to control the type of object that is reconstructed and, with a suitable gadget, achieve arbitrary code execution.

This issue affects versions >=2.10.0 <2.18.8, >=2.19.0 <2.21.4, and >=3.0.0 <3.1.4 of jackson-databind.

Details

Module Info

Vulnerability Info

This Critical-severity vulnerability is found in jackson-databind. When polymorphic deserialization is enabled with a PolymorphicTypeValidator allow-list (via activateDefaultTyping(...) or a class- or name-based @JsonTypeInfo), the library is expected to instantiate only classes the validator approves. The flaw is that the validator is consulted only for the raw container class and never for the generic type arguments nested inside the type id.

The validation happens in DatabindContext._resolveAndValidateGeneric(). It extracts the raw container name (the substring before the <), checks that name against the validator, then resolves the full canonical type string, including the attacker-supplied nested type arguments, without ever validating those nested parameters:

PolymorphicTypeValidator.Validity vld =
    ptv.validateSubClassName(config, baseType, subClass.substring(0, ltIndex));
if (vld == Validity.DENIED) {
    return _throwSubtypeNameNotAllowed(baseType, subClass, ptv);
}
JavaType subType = getTypeFactory().constructFromCanonical(subClass); // full type, nested args unvalidated
if (!subType.isTypeOrSubTypeOf(baseType.getRawClass())) {
    return _throwNotASubtype(baseType, subClass);
}
if (vld != Validity.ALLOWED) {
    if (ptv.validateSubType(config, baseType, subType) != Validity.ALLOWED) {
        return _throwSubtypeClassNotAllowed(baseType, subClass, ptv);
    }
}
return subType; // nested type parameters never validated

If the allow-list permits even one generic container class by name (for example java.util.ArrayList, java.util.HashMap, or java.util.EnumSet), an attacker who controls the type id can supply a canonical type such as java.util.ArrayList<com.evil.Gadget>. The raw container name java.util.ArrayList passes the name check, while the nested com.evil.Gadget is resolved and instantiated with attacker-controlled property values. Variants such as java.util.HashMap<Evil,String>, java.util.ArrayList<java.util.ArrayList<Evil>>, and java.util.ArrayList<Evil[]> smuggle the gadget through nested generics and array components in the same way, defeating a name-based allow-list and enabling arbitrary class instantiation that can lead to remote code execution.

This vulnerability was introduced in 2019 with jackson-databind 2.10.

Mitigation

Only recent versions of Jackson are community-supported. The affected 2.13.x, 2.14.x, and 2.15.x lines are End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for these lines; NES for Jackson is the remedy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade jackson-databind to a currently supported 2.x or 3.x release that contains the fix.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2023-3894
CVE-2023-35116
CVE-2025-52999
CVE-2026-54512
CVE-2026-54513
CVE-2026-54514
CVE-2026-50193
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
ID
CVE-2026-54512
PROJECT Affected
jackson-databind
Versions Affected
>=2.10.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
NES Versions Affected
Published date
June 22, 2026
≈ Fix date
June 22, 2026
Fixed in
NES for Jackson
Category
Remote Code Execution
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Jackson
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.