Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when case‑insensitive deserialization restores properties that were previously excluded with @JsonIgnoreProperties, allowing an attacker to write to fields that should have been ignored. This can let an attacker inject or modify configuration data, compromise data integrity, and in some contexts elevate privileges by changing critical application state.

Affected Systems

FasterXML’s jackson-databind is affected. Versions from 2.8.0 up to and including 2.18.8, 2.21.0‑2.21.4, and 3.1.0‑3.1.3 are vulnerable. The issue is resolved in 2.18.9, 2.21.5, and 3.1.4 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact, and the EPSS score is not available, implying no public data on exploitation frequency. The vulnerability is not listed in CISA KEV. It is likely exploitable by crafting JSON payloads that trigger @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) during deserialization, a common feature in APIs that process arbitrary JSON. An attacker would need to supply such a payload to a component that deserializes data with case‑insensitivity enabled; upon success, previously ignored properties become writable, potentially enabling configuration tampering or unauthorized data manipulation.

Generated by OpenCVE AI on June 24, 2026 at 02:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson-databind to 2.18.9 or newer, or to 2.21.5+, or to 3.1.4+ versions that contain the fix.
  • Revoke or disable @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) for deserialization contexts that rely on @JsonIgnoreProperties, or restrict case‑insensitivity to a whitelist of safe properties.
  • Conduct regression testing to confirm that ignored properties remain non‑writable after deserialization, and consider implementing additional runtime checks or schemas to enforce property-level access control.

Generated by OpenCVE AI on June 24, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Title jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:52:23.714Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54515

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes