{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54513", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-15T18:01:15.514Z", "datePublished": "2026-06-23T20:53:52.543Z", "dateUpdated": "2026-06-23T20:57:16.381Z"}, "containers": {"cna": {"title": "jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq-3g9f"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5981", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5981"}, {"name": "https://github.com/FasterXML/jackson-databind/issues/5983", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/issues/5983"}, {"name": "https://github.com/FasterXML/jackson-databind/pull/5984", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/pull/5984"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a9e6908e4931e5"}, {"name": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9ebf31cd188f5e8e"}], "affected": [{"vendor": "FasterXML", "product": "jackson-databind", "versions": [{"version": ">= 2.10.0, < 2.18.8", "status": "affected"}, {"version": ">= 2.19.0, < 2.21.4", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:57:16.381Z"}, "descriptions": [{"lang": "en", "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4."}], "source": {"advisory": "GHSA-rmj7-2vxq-3g9f", "discovery": "UNKNOWN"}}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0,2.18.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.19.0,2.21.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.1.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "jackson-databind", "source": "cna", "vendor": "FasterXML"}, "product": "jackson-databind", "vendor": "fasterxml"}], "created": "2026-06-23T23:45:04.625737+00:00", "updated": "2026-06-24T02:45:05.436826+00:00", "vendors": ["fasterxml", "fasterxml$PRODUCT$jackson-databind"]}