Vulnerability Directory | CVE-2026-54515

Overview

jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.

An Authorization Bypass vulnerability (CVE-2026-54515) has been identified in jackson-databind, where enabling per-property case-insensitive deserialization causes per-property @JsonIgnoreProperties exclusions to be silently discarded. This re-exposes properties the application intended to be unsettable, allowing an attacker who controls the JSON input to write to those fields and mount a mass-assignment attack.

Per OWASP, this class of weakness (CWE-915, Improperly Controlled Modification of Dynamically-Determined Object Attributes) occurs when the product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

This issue affects versions >=2.8.0 <2.18.9, >=2.19.0 <2.21.5, and >=3.1.0 <3.1.4 of jackson-databind.

‍

Details

Module Info

Product: jackson-databind
Affected packages: jackson-databind
Affected versions: >=2.8.0 <2.18.9, >=2.19.0 <2.21.5, >=3.1.0 <3.1.4
GitHub repository: https://github.com/FasterXML/jackson-databind
Published packages:
- For 2.x: https://central.sonatype.com/artifact/com.fasterxml.jackson.core/jackson-databind
- For 3.x: https://central.sonatype.com/artifact/tools.jackson.core/jackson-databind
Package manager: Maven
Fixed in:
- NES for Jackson 2.13.6, 2.14.4, and 2.15.5
- Jackson Databind 2.18.9, 2.21.5, 3.1.4 (OSS)

Vulnerability Info

This Medium-severity vulnerability is found in the jackson-databind package. The flaw is in BeanDeserializerBase.createContextual(), in the block that handles JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES. Earlier in the same method, per-property @JsonIgnoreProperties exclusions are applied to a local contextual deserializer, producing a BeanPropertyMap whose ignored properties have already been removed. When case-insensitive matching is then enabled, the code rebuilds the case-insensitive property map from the original, unfiltered _beanProperties field rather than from the filtered contextual map:

Boolean B = format.getFeature(JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES);
if (B != null) {
    BeanPropertyMap propsOrig = _beanProperties;
    BeanPropertyMap props = propsOrig.withCaseInsensitivity(B.booleanValue());
    if (props != propsOrig) {
        contextual = contextual.withBeanProperties(props);
    }
}

Because propsOrig is read from the unfiltered _beanProperties, the rebuilt map is assigned back over the filtered one, re-introducing the very properties that the per-property @JsonIgnoreProperties exclusions had removed. When a bean opts into per-property case-insensitivity and also relies on per-property @JsonIgnoreProperties to block sensitive fields, those fields become writable again from attacker-controlled JSON, defeating the intended mass-assignment defense.

‍

Mitigation

Only recent versions of jackson-databind are community-supported. The affected 2.13.x, 2.14.x, and 2.15.x lines are End-of-Life and have no publicly available fix for this issue.

Users of the affected components should apply one of the following mitigations:

Upgrade jackson-databind to a currently supported 2.x or 3.x release that contains the fix.
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍