jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
Summary
| CVE | CVE-2026-54513 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-23 21:17:02 UTC |
| Updated | 2026-07-14 12:17:12 UTC |
| Description | jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.005630000 probability, percentile 0.425680000 (date 2026-06-29)
Problem Types: CWE-184 | CWE-184 CWE-184: Incomplete List of Disallowed Inputs | CWE-184 Incomplete List of Disallowed Inputs
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Fasterxml | Jackson-databind | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/FasterXML/jackson-databind/commit/24529da29fdf46ff94ca38de9eb... | [email protected] | github.com | Patch |
| github.com/FasterXML/jackson-databind/security/advisories/GHSA-rmj7-2vxq... | [email protected] | github.com | Patch, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:36839 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/FasterXML/jackson-databind/issues/5983 | [email protected] | github.com | Issue Tracking, Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/FasterXML/jackson-databind/commit/01d1692c8d0ed03e51a0e3c4f8a... | [email protected] | github.com | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-54513.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/FasterXML/jackson-databind/issues/5981 | [email protected] | github.com | Issue Tracking |
| access.redhat.com/security/cve/CVE-2026-54513 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/FasterXML/jackson-databind/pull/5984 | [email protected] | github.com | Issue Tracking, Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-23T22:01:34.437Z | Reported to Red Hat. |
| ADP | 2026-06-23T20:53:52.543Z | Made public. |
Solutions
ADP: RHSA-2026:36839: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33
Workarounds
ADP: Upgrade to version 2.18.8, 2.21.4, or 3.1.4 or later to address this vulnerability. If upgrading is not immediately possible, remove BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() from the application’s ObjectMapper configuration to eliminate the affected deserialization path. Rebuild and restart the application to apply the configuration change. As an additional mitigation, disable polymorphic deserialization of untrusted data where possible by avoiding or removing default typing features such as activateDefaultTyping() or enableDefaultTyping(). When polymorphic deserialization is required, restrict allowed subtypes using a strict whitelist of trusted application packages and avoid broad or permissive type validation rules.