{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54513", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-15T18:01:15.514Z", "datePublished": "2026-06-23T20:53:52.543Z", "dateUpdated": "2026-06-24T14:45:22.699Z"}, "containers": {"cna": {"title": "jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5981", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5981"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5983", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5983"}, {"name": "https://github.com/FasterXML/jackson-databind/pull/5984", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/pull/5984"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"}], "affected": [{"vendor": "FasterXML", "product": "jackson-databind", "versions": [{"version": ">= 2.10.0, < 2.18.8", "status": "affected"}, {"version": ">= 2.19.0, < 2.21.4", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:57:16.381Z"}, "descriptions": [{"lang": "en", "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."}], "source": {"advisory": "GHSA-rmj7-2vxq-3g9f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T14:45:02.581065Z", "id": "CVE-2026-54513", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:45:22.699Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-54513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T14:45:02.581065Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:45:13.067Z"}}], "cna": {"title": "jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)", "source": {"advisory": "GHSA-rmj7-2vxq-3g9f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FasterXML", "product": "jackson-databind", "versions": [{"status": "affected", "version": ">= 2.10.0, < 2.18.8"}, {"status": "affected", "version": ">= 2.19.0, < 2.21.4"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.4"}]}], "references": [{"url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f", "name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FasterXML/jackson-databind/issues/5981", "name": "https://github.com/FasterXML/jackson-databind/issues/5981", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FasterXML/jackson-databind/issues/5983", "name": "https://github.com/FasterXML/jackson-databind/issues/5983", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FasterXML/jackson-databind/pull/5984", "name": "https://github.com/FasterXML/jackson-databind/pull/5984", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5", "name": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e", "name": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:57:16.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-54513", "state": "PUBLISHED", "dateUpdated": "2026-06-24T14:45:22.699Z", "dateReserved": "2026-06-15T18:01:15.514Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-23T20:53:52.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution", "id": "2492010", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492010"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-184", "details": ["A flaw was found in jackson-databind, a library used for processing data. This vulnerability allows an attacker to bypass security controls designed to validate data types. By sending specially crafted input, an attacker can force the system to process untrusted data, which may lead to the execution of malicious code. This could result in a complete compromise of the affected system, impacting its confidentiality, integrity, and availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-54513", "package_state": [{"cpe": "cpe:/a:redhat:certificate_system:10", "fix_state": "Under investigation", "package_name": "redhat-pki:10/redhat-pki", "product_name": "Red Hat Certificate System 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "dogtag-pki", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "jackson-databind", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "jackson-databind", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-23T20:53:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-54513\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-54513\nhttps://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5\nhttps://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e\nhttps://github.com/FasterXML/jackson-databind/issues/5981\nhttps://github.com/FasterXML/jackson-databind/issues/5983\nhttps://github.com/FasterXML/jackson-databind/pull/5984\nhttps://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"], "statement": "This Important flaw in `jackson-databind` allows for a security bypass, enabling arbitrary code execution. The vulnerability arises from insufficient validation of array component types by `BasicPolymorphicTypeValidator`, which permits deserialization of unallowlisted types when processing untrusted input. This bypass of type validation can lead to a complete system compromise, affecting confidentiality, integrity, and availability in Red Hat products utilizing `jackson-databind` for data processing.", "threat_severity": "Important"}