CVE Catalog

CVE-2026-54513

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.68%

48th percentile — higher than 48% of all known CVEs

Summary

A vulnerability in jackson-databind allows bypassing the allowlist in BasicPolymorphicTypeValidator. The allowIfSubTypeIsArray() method permits any array type without validating the component type, enabling deserialization of dangerous types like EvilType[] even if EvilType is not allowlisted.

Risk Assessment

An attacker can remotely perform unauthorized object deserialization, leading to remote code execution (RCE) or other deserialization attacks, posing a serious security risk to the application.

Recommendation

Immediately update jackson-databind to version 2.18.8, 2.21.4, or 3.1.4. If updating is not possible, avoid using allowIfSubTypeIsArray() in BasicPolymorphicTypeValidator configuration.

Original NVD description (English source)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS