Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Published: 2026-06-23
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to bypass the array subtype allowlist defined in BasicPolymorphicTypeValidator when the allowIfSubTypeIsArray method is used. By providing a JSON payload that contains an array of a non‑allowlisted component type, the deserialization process will instantiate the component type directly without performing a further allowlist check. This bypass can lead to arbitrary class instantiation and, if the type contains code that is executed during deserialization, to remote code execution.

Affected Systems

The affected library is FasterXML:jackson-databind. Versions susceptible to the flaw include all releases from 2.10.0 up to but not including 2.18.8, as well as the 2.21.x series before 2.21.4 and the 3.1.x series before 3.1.4. The vulnerability was fixed starting with 2.18.8, 2.21.4, and 3.1.4.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity. EPSS is not available, and the issue is not listed in CISA's KEV catalog. The likely attack vector involves any application that accepts JSON input and processes it with Jackson's polymorphic deserialization. An attacker who can send a crafted payload containing an array of an unallowlisted type can trigger the bypass and instantiate the type during deserialization, potentially enabling code execution on the target system.

Generated by OpenCVE AI on June 24, 2026 at 02:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FasterXML:jackson-databind to version 2.18.8, 2.21.4, 3.1.4 or later, depending on your current major release
  • Re‑evaluate the use of BasicPolymorphicTypeValidator.allowIfSubTypeIsArray; remove or tightly restrict it to known safe types so that array component types are validated
  • Audit all deserialization endpoints to ensure that untrusted data is not processed by polymorphic deserialization or that type ID checks are enforced

Generated by OpenCVE AI on June 24, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmj7-2vxq-3g9f jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Title jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:57:16.381Z

Reserved: 2026-06-15T18:01:15.514Z

Link: CVE-2026-54513

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-184

    Incomplete List of Disallowed Inputs