Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in jackson‑databind’s deserialization logic where a case‑insensitive path restores properties that should have been excluded by @JsonIgnoreProperties. The ignored fields become writable again, allowing an attacker to inject data into attributes that were expected to be protected. This manipulation can alter application behavior or compromise configuration integrity, potentially leading to unauthorized actions.

Affected Systems

Impact is limited to FasterXML: jackson‑databind. All releases from 2.8.0 up to but excluding 2.18.9, 2.21.5, and 3.1.4 are vulnerable; specifically versions 2.8.0‑2.18.8, 2.21.0‑2.21.4, and 3.1.0‑3.1.3 contain the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Without an EPSS value the exploitation probability is unclear, and the vulnerability is not listed in KEV. The likely attack vector is the ability to send crafted JSON payloads to an application that deserializes incoming data using jackson‑databind with @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) enabled or when case‑insensitive deserialization is otherwise active. Exploitation would let an attacker write to previously ignored properties, enabling data tampering or misconfiguration, but the impact is confined to the deserialized object scope.

Generated by OpenCVE AI on June 24, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to jackson‑databind 2.18.9, 2.21.5, 3.1.4 or later to receive the fix.
  • If an upgrade cannot be performed immediately, disable @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) or configure the object mapper to enforce case‑sensitive property handling to prevent the buggy restoration logic.
  • Audit existing code that uses @JsonIgnoreProperties to ensure no sensitive fields remain exposed and apply additional filtering or validation as a defensive measure.

Generated by OpenCVE AI on June 24, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
Title jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T12:22:56.445Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54515

cve-icon Vulnrichment

Updated: 2026-06-24T12:22:49.967Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T20:50:25Z

Links: CVE-2026-54515 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:45:02Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes