CVE 8.1 HIGH

jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)_CVE-2026-54513

June 23, 2026 invoker category_cve
8.1 / 10
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Basic Information

ID CVE-2026-54513
Source GitHub_M
Published Jun 23, 2026 at 20:53
Modified Jun 23, 2026 at 20:57

Affected Product

Vendor FasterXML
Product jackson-databind
Version >= 2.10.0, < 2.18.8
Affected Versions FasterXML jackson-databind >= 2.10.0, < 2.18.8
FasterXML jackson-databind >= 2.19.0, < 2.21.4
FasterXML jackson-databind >= 3.0.0, < 3.1.4

CWE Classification

CWE-184

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.