Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Published: 2026-06-23
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can influence the type identifier in a JSON payload to inject an arbitrary class into a generic type parameter of an approved container. The deserialization process then resolves and instantiates the target class via Class.forName, bypassing the PolymorphicTypeValidator. This permits the execution of arbitrary code, exposing the system to data tampering, privilege escalation, or full compromise. The weakness is a classic deserialization flaw (CWE-502) combined with inadequate validation of type references (CWE-184).

Affected Systems

Customer software that integrates FasterXML’s jackson-databind library in versions starting with 2.10.0 up through 2.18.8, as well as 2.21.4 and 3.1.4, are affected. Applications that employ polymorphic deserialization and rely on the library’s PolymorphicTypeValidator would be susceptible. No other vendors are listed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high risk, with potential for remote code execution if the application accepts untrusted JSON. Because no EPSS score is available and the vulnerability is not yet in the CISA KEV catalog, the public exploitation likelihood is unknown but could be significant in environments that facilitate uncontrolled JSON input. Attackers likely would exploit this via network services or APIs that deserialize incoming data.

Generated by OpenCVE AI on June 24, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson-databind to a patched version (2.18.8, 2.21.4, or 3.1.4 and later).
  • If an upgrade is not immediately possible, disable or tightly constrain polymorphic deserialization for untrusted inputs, or restrict the JSON source to fully trusted channels.
  • Implement an additional runtime check that validates nested generic type arguments against a whitelisted set before allowing deserialization, effectively restoring full PolymorphicTypeValidator coverage.

Generated by OpenCVE AI on June 24, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j3rv-43j4-c7qm jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
History

Wed, 24 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Title jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation
Weaknesses CWE-184
CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:56:36.646Z

Reserved: 2026-06-15T18:01:15.513Z

Link: CVE-2026-54512

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-502

    Deserialization of Untrusted Data