View all Vulnerabilities

CVE-2026-54516

Authorization Bypass
Affects
jackson-databind
in
Jackson
No items found.
Versions
>=2.13.0 <=2.15.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.

An authorization bypass vulnerability (CVE-2026-54516) has been identified in jackson-databind, which allows attackers to write to a property that a developer intended to be read-only over the wire. When a property's getter is given an explicit name while its setter is annotated with @JsonIgnore, the property is renamed rather than dropped during introspection, and its private backing field survives as an inferred mutator, so attacker-supplied JSON using the renamed key writes directly to the field and bypasses the @JsonIgnore.

Per OWASP: the product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

This issue affects multiple versions of Jackson, including the End-of-Life 2.13.x, 2.14.x, and 2.15.x lines.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the com.fasterxml.jackson.core:jackson-databind package in multiple versions of Jackson. It arises when a POJO declares a property whose getter carries an explicit name and whose setter is ignored, while a private backing field remains. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (the default), that field is inferred as a mutator and keeps the property deserializable even after the ignored setter is removed.

Consider a POJO such as the following:

public class Account {
    private String role;

    @JsonProperty("displayRole")
    public String getRole() {
        return role;
    }

    @JsonIgnore
    public void setRole(String role) {
        this.role = role;
    }
}

During introspection, POJOPropertiesCollector._removeUnwantedProperties() retains the property because an accessor is explicitly named, and removes only the ignored setter:

if (prop.anyIgnorals()) {
    prop.removeIgnored();
    if (!prop.couldDeserialize()) {
        _collectIgnorals(prop.getName());
    }
}

The guard turns on couldDeserialize(), which still reports the property as writable because of the surviving field:

public boolean couldDeserialize() {
    return (_ctorParameters != null) || (_setters != null) || (_fields != null);
}

Because couldDeserialize() returns true, the property name is never added to the ignorals, the property survives, and _renameProperties() renames it to its explicit getter name. At deserialization the mutator lookup falls through the removed setter to the field, so attacker-supplied JSON of the form {"displayRole":"admin"} writes the private field directly, defeating the @JsonIgnore the developer placed on the setter. No special configuration is required, since INFER_PROPERTY_MUTATORS is enabled by default and an affected endpoint only needs to accept JSON.

This vulnerability has been present since at least Jackson 2.9 and likely earlier.

Mitigation

Only recent versions of Jackson are community-supported. The affected 2.13.x, 2.14.x, and 2.15.x lines are End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for these lines; NES for Jackson is the remedy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade jackson-databind to a currently supported release that contains the fix, such as jackson-databind 2.21.4 or later.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2023-3894
CVE-2023-35116
CVE-2025-52999
CVE-2026-54512
CVE-2026-54513
CVE-2026-54514
CVE-2026-50193
CVE-2026-54517
CVE-2026-54516
CVE-2026-54515
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-54516
PROJECT Affected
jackson-databind
Versions Affected
>=2.13.0 <=2.15.4
NES Versions Affected
Published date
June 23, 2026
≈ Fix date
June 23, 2026
Fixed in
NES for Jackson
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Jackson
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.